Alik Levin's

How To Generate Unit Test Using WCF Load Test – Quick Steps

alikl — Mon, 29 Jun 2009 09:13:31 GMT

This is quick summary of steps for creating WCF Unit Tests using WCF Load Test available for free on Codeplex. This quick summary created based on the Lab materials that ship with the tool.

Quick Resource Box

WCF Load Test

Summary of steps

Step 1. Configure message tracing in the app.config file on client side.
Step 2. Run WCF client to invoke the remote methods and generate trace file.
Step 3. Generate Unit test based on trace file.

Step 1. Configure message tracing in the app.config file on client side.

Select the Diagnostics folder.
Under Message Logging click Enable Message Logging.
Click Log Level and check Service messages. The other options can be unchecked.
Click ServiceModelMessageLoggingListener and change the file name to be “WCFClient.svclog”.
Under the Message Logging folder enable LogEntireMessage.
Save the configuration file.

Step 2. Run WCF client to invoke the remote methods and generate trace file.

Run your WCF client. Make sure WCFClient.svclog generated. This log file will be used in the next step to generate Unit Tests

Step 3. Generate Unit test based on trace file.

Create a new test project in Visual Studio.
Add a reference to the following assemblies:
- System.ServiceModel
- System.Runtime.Serialization (version 3.0.0.0)
In the directory containing the test project create a file called SampleConfig.xml with the following contents:

<?xml version='1.0' encoding='utf-8' ?>
<WcfUnitConfiguration xmlns='http://microsoft.com/wcfunit'
                           testMethodMode='ScenarioMethodOnly'
                           operationTimerMode='IncludeOperationTimers'>
       <assembly fileName="C:\Client\bin\Debug\ConsoleClient.exe"/>
     <soapActions soapActionMode='Include'>
     </soapActions>
</WcfUnitConfiguration>

Open an SDK command prompt and change the directory to the one containing the test project.
Execute the following command:
svcutil /o:proxy.cs /config:app.config http://localhost:8090/service?wsdl
Run the command-line tool using the following command:
“c:\program files\wcfunit\wcfunit” CompileTimeScenario <trace file> SampleConfig.xml where the <trace file> is the path to the WCFClient.svclog file created in the previous exercise.
Add generated files (CompileTimeScenario.cs and CompileTimeScenario.stubs) to the test project.
Rename CompileTimeScenario.stubs to CompileTimeScenario.Stubs.cs.
Also add the proxy.cs and app.config files located in the client project folder to the test project.
Build the solution and a Unit Test called CompileTimeScenario should appear in the Test View.

Architects UG: 16 Case Studies of ASP.NET Web Performance

alikl — Tue, 23 Jun 2009 22:38:44 GMT

Below is a slide deck for the talk I gave today on Architect UG. The presentation focused on 16 case studies of performance that is less than optimal. The session is focused on baking performance engineering into the development lifecycle.

Each case study has a link to the detailed walkthrough and relevant resources on how to improve performance.

Enjoy

Free Web Performance Tools From Microsoft, Google, Yahoo, And IBM

alikl — Thu, 11 Jun 2009 11:56:53 GMT

This post is a quick overview of free performance tools available from Microsoft, Yahoo, Google, and IBM. It also contains a pointers to related articles that go deeper regarding the best practices and how the tools can help in identifying compliance to the best practices.

Quick Resource Box:

Microsoft’s Fiddler (Performance Tuning with Fiddler)
Microsoft’s VRTA (12 Steps To Faster Web Pages With Visual Round Trip Analyzer)
Yahoo’s YSlow (rules for high performance web pages.)
IBM’s Page Detailer
Google’s Page Speed (Web Performance Best Practices)

Microsoft’s Fiddler

Fiddler is a free web performance tool, it is not really a property of Microsoft rather a side project by Eric Lawrence, a PM with Microsoft. I used Fiddler for both security testing and now for performance. I love it a lot. Must mention it requires Net Fx 2.0 as a prerequisite so it is limited to Windows OS. Recently Eric added support to Firefox – Fiddler Hook For Firefox, so the tool is great for both IE and FF. My related posts:

Microsoft’s VRTA

VRTA is a free web performance tool and it stands for Visual Round Trip Analyzer created by Microsoft’s Jim Pierson and used internally for sometime. It was made available for public use during last PDC 2008. Jim has written very detailed article about the tool and how it solves performance problems - 12 Steps To Faster Web Pages With Visual Round Trip Analyzer. VRTA installs and uses under the hood free Microsoft Network Monitor (Netmon) to capture and analyze network captures.

Yahoo’s YSlow

YSlow is a free performance analysis tool created by Steve Souders when he was with Yahoo. Steve created another good tool called Cuzilion. YSlowl comes with extremely good set of performance guidance that can be found here - rules for high performance web pages. YSlow requires Firebug as a prerequisite, meaning it is restricted to Firefox only.

IBM’s Page Detailer

Page Detailer is a free web performance tool from IBM. I was not able to identify any good articles that cover it – if you share with me please, or better off publish one. It does not have any prerequisites, consider it as an advantage.

Google’s Page Speed

Recently I stumbled on Page Speed from Google. It reminds me a Yahoo’s YSlow lot that makes me believe it comes from Steve Souders that works now for Google. It also requires Firebug as a prerequisite and works with FireFox only. It comes with nice guidance found here - Web Performance Best Practices. Must admit – I adore the concept of the tool although in most cases I cannot use it as I work for customers that IE is their target browser. Nevertheless the guidance is tool agnostic and I recommend bookmarking it for quick reference.

High Level Digest On Windows Azure Services Platform

alikl — Mon, 01 Jun 2009 09:52:12 GMT

I was reading a white paper called An Introduction to Microsoft .NET Services for Developers while taking few quick notes. The notes might be beneficial to those who wants to quickly get an idea what Windows Azure is. Here is what I have captured:

Azure – Windows in the cloud, software and data stored and running in Microsoft owned data servers.
.Net Services platform consists of the following building blocks:

Windows Azure:

Hosted in MS data centers.
Allows creating deploying, scaling, managing, distributing application and services in Internet.

Business benefits - shields you from costs related to

Provisioning,
Configuring,
…and Managing physical servers and the software running on them

Windows® Azure storage services are designed to be very simple and highly scalable:

BLOB storage, queue storage, and simple table storage,
but it doesn’t provide the capabilities of a relational database (Microsoft® SQL Services does offer all these)

Microsoft® .NET Services

.NET developer-oriented services and a software development kit (SDK) for building .NET applications to run in the cloud.
Based on industry standard protocols - REST, SOAP, and WS-*

Microsoft® SQL Services

Set of data-oriented services designed to extend the capabilities SQL Server into the cloud.
Microsoft® SQL Data Services (SDS), which offers full relational database capabilities.

Live Services provides a set of user-centric services focused primarily on social applications and experiences:

Mesh Services
Identity Services
Directory Services
User-Data Storage Services
Communication and Presence Services
Search Services, and Geospatial Services
Embraces REST, Atom, and AtomPub

Domain-specific service offerings

Microsoft® SharePoint Services
Microsoft® Dynamics CRM Services

Using Windows Azure:

Register at www.azure.com
Download SDK

Microsoft Certified Architect (MCA) - Preparing Your Competency Document Video Distilled

alikl — Wed, 27 May 2009 18:56:00 GMT

Preparing Your Competency Document video goes briefly about the documents the you should submit as a candidate for Microsoft Certified Architect (MCA) program. Below are the notes I have take while watching the video.

Technical depth has least weight
MCA is technology agnostic program.
Architect needs to have technical depth in some area of his choice.
Architect needs to have the broad knowledge of the existing technologies on the market.
Architect must be able to answer the question “Are you able to invest the budget smart?”
The documents should reflect you are familiar with organization dynamics – crisis, politics, dealing with tension, etc.
Reflect on your role as a leader – what was the impact of your work? How many followed you?
Reflect on how you build your succession.
Reflect on your mentoring strategies and how many you mentored.
Reflect on your communication skills – you are tested for it during the presentation, when reading your docs, and during open question part.
Reflect on how you communicate with peers and people inside you projects.
Reflect on methodologies you used to organize the project.
Show you are able to communicate in common language – do not reinvent the toolbox to each project.
Reflect on your strategy skills– strategic decision making, strategic thinking, being able make decision, shape decision, suggest decision to leadership based on trends in industry.

Resources

Microsoft Certified Architect (MCA) - Preparing For The Review Board Interview Video Distilled

alikl — Tue, 26 May 2009 21:51:00 GMT

Review board interview is the critical part of the MCA certification program. It is discussed in the Preparing for the Review Board Interview video. Below are the notes I have taken when I watched the video.

Key to success is no different of any other interview.
Before interview you should make yourself very familiar with the documents you submitted (resume, case study, presentation, skills template, etc).
You should be well prepared for presentation.
Ensure presentation compliments the submitted materials/documents.
Practice the presentation.
Familiarize with competencies – show you mastered it.
The interview conducted by 7 people – practice and rehearse with friend, instruct them to make it hard for you, not harsh but be a tough crowd.
Ask to provide feedback.
When you asked a question you do not know the answer – say you do not know it, do not try to make up the answer, chances one of the board members knows it well and you might only make it worse.
Ask clarifying questions.
Do not ramble – time is precious.
Relax – watch the videos, should not be anything new to you.

Resources

Microsoft Certified Architect (MCA) Review Board Interview Video Distilled

alikl — Mon, 25 May 2009 18:55:00 GMT

I was watching MCA Review Board Interview video as part of my preparation to the MCA program. Following are the notes I have taken while watching the video:

Review process conducted quarterly.
The board of 7 members reviews 13 candidates during a week.
3 hours per candidate
The process:
- 10 minutes for set up.
- Introductions.
- 30 minutes presentation to the board.
- Candidate shows the 7 skills throughout the presentation.
- During 30 minutes of the presentation it is candidate’s prime time, only interrupted for clarifying. Generally no interruptions.
- Show 7 competencies.
- 10 minutes for each member of the board to ask questions.
- Precision technique questions methods – expect to be cut off.
- 5 minutes break – candidate leave the room – the board discusses what they saw and what they did not.
- 10 minutes Q&A – wide open questions.
- 5 minutes for closing remarks – candidate may say thanks or add whatever he likes.
- Done
Members go through process of determining whether the candidate deserves MCA – thumbs up/down, giving each competencies “does not meet”, “meets” or “exceeds” mark.
The board shares general impressions and notes taken during 2 hours review process.
The board makes recommendations – provide feedback to the candidate where he can improve.
Final vote, thumbs up/down.
3 members must give thumbs up to achieve the MCA certification.
The candidate should expect an email after two weeks with the decision on his performance during the review.

Resources

Hollywood's Project Management System

alikl — Fri, 01 May 2009 10:51:21 GMT

What if I tell you there is a project management system that works? By "works" I mean it helps completing projects on time, on budget, on spec. No more 2% slip. Think such system does not exist? It does exist in Hollywood. Not in the movies. The system is wide spread across major film studios. In his book, Hollywood Secrets of Project Management Success, James R. Persse covers Hollywood's approach to successful project management. The main ingredients are:

Consistency. "Consistency of vision, a common agreement, reached through communications and reviews, regarding the purpose, scope, and tone of the project".
Predictability. "The system defines a present work flow that can be mapped out, planned, and followed, thereby ensuring that essential work phases are not skipped and critical milestones are not missed or ignored."
Accountability. "Slipping 10 percent over budget is a $6 million slip, so it's helpful to know who did the slipping and why. The system, build accountability into every phase of production. The production system pays very close attention to job descriptions."
Communications. "… it promotes communications – both informal, casual communications and formal binding communication. Producing, at its heart, is a communications job."
Trackability. "… the system promotes regular and deep-reaching measures of progress. This process tracking begins on day 1 and does not end until the lid of the can of the final cut is taped shut."

Hmm... seems nothing revolutionary to me. If so, then why IT projects always slip? They slip massively in all dimensions – scope, budget, time. May be because project management skills are not that valued? May be project manager (director) must be a super star for the whole project to be succesful? I cannot find another explanation to such phenomena. BTW, next time you finish watching a movie pay close attention to titles running in the end. Usually director of the movie comes before the movie star. Why is it so?

Persse cites Bill Fay, President of Production with Legendary Pictures, as he comments on the fact that IT projects often slip 100% in budget and time, - "That wouldn't fly in this business… no able producer or competent production team would ever allow project to drift so far off base."

Is you project manager a super star? Are you set to produce the next block buster?

Read Hollywood Secrets of Project Management Success to help you produce the next IT mega hit.

My related posts

- Is Your Project Going To Fail?

Understanding ASP.NET MVC Code (For Aspiring Architects) - #3

alikl — Mon, 06 Apr 2009 11:52:56 GMT

This post is a digest of the Understanding Models, Views, and Controllers (C#). It helps to quickly understand the generated code when creating ASP.NET MVC project in Visual Studio.

Resources

Understanding Models, Views, and Controllers (C#).

ASP.NET MVC Project in Visual Studio

Three folders created: Models, Views (ASPX pages sit here), Controllers
Urls are SEO friendly (/Home/About)
No direct correspondence between URL and the page.

Routing

Requests mapped to Controller's actions

ASP.NET Web Forms are content centric

ASP.NET MVC is logic centric

ASP.NET Routing maps request to action.

Routing is registered in Global.asax

Controllers

Controls user interaction (flow) with ASP.NET MVC application.
Derive from Controller class.
Exposes actions that can return ActionResult.
Any public method is action (WARNING: can be invoked freely via URL).
A controller should only contain the bare minimum of logic required to return the right view or redirect the user to another action (flow control).

Views

Create folders by Controllers names.
Create sub-folders to reflect views that Controller handles.
View is ASPX page that inherits from System.Web.Mvc.ViewPage
View should contain only logic related to generating the user interface.

Models

An MVC model contains all of your application logic that is not contained in a view or a controller.

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer

How ASP.NET MVC Works (For Aspiring Architects) - #2

alikl — Thu, 02 Apr 2009 11:05:39 GMT

This post briefly describes ASP.NET MVC request processing model. It is digested and based on Understanding the MVC Application Execution Process (MSDN)

Resources

ASP.NET MVC Execution Process

Stage	Details
Receive first request for the application	In the Global.asax file, Route objects are added to the RouteTable object. void Application_Start(object sender, EventArgs e) { RegisterRoutes(RouteTable.Routes); } public static void RegisterRoutes(RouteCollection routes) { routes.Add(new Route ( "Category/{action}/{categoryName}" , new CategoryRouteHandler() )); }
Perform routing	The UrlRoutingModule module uses the first matching Route object in the RouteTable collection to create the RouteData object, which it then uses to create a RequestContext object.
Create MVC request handler	The MvcRouteHandler object creates an instance of the MvcHandler class and passes the RequestContext instance to the handler.
Create controller	The MvcHandler object uses the RequestContext instance to identify the IControllerFactory object (typically an instance of the DefaultControllerFactory class) to create the controller instance with.
Execute controller	The MvcHandler instance calls the controller's Execute method.
Invoke action	For controllers that inherit from the ControllerBase class, the ControllerActionInvoker object that is associated with the controller determines which action method of the controller class to call, and then calls that method.
Execute result	The action method receives user input, prepares the appropriate response data, and then executes the result by returning a result type. The built-in result types that can be executed include the following: ViewResult (which renders a view and is the most-often used result type), RedirectToRouteResult, RedirectResult, ContentResult, JsonResult, FileResult, and EmptyResult.

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer

ASP.NET MVC For Aspiring Architects - #1

alikl — Tue, 31 Mar 2009 10:37:57 GMT

Is ASP.NET MVC more than just new cool technology? What advantages it brings over ASP.NET Web Forms? When should I use ASP.NET MVC and when ASP.NET Web Forms? How do I MVC this and MVC that?

Resources

This the first post in series of posts that should help me as an architect to answer these questions. It is based on and digested from ASP.NET MVC Overview.

ASP.NET MVC Overview

The Model-View-Controller (MVC) architectural pattern separates an application into three main components: the model, the view, and the controller.

Models. Model objects are the parts of the application that implement the logic for the application's data domain.

Views. Views are the components that display the application's user interface (UI).

Controllers. Controllers are the components that handle user interaction, work with the model, and ultimately select a view to render that displays UI.

Advantages of an MVC-Based Web Application

It makes it easier to manage complexity by dividing an application into the model, the view, and the controller.
It does not use view state or server-based forms.
It uses a Front Controller pattern that processes Web application requests through a single controller.
It provides better support for test-driven development (TDD).
It works well for Web applications that are supported by large teams of developers and Web designers who need a high degree of control over the application behavior.

Advantages of a Web Forms-Based Web Application

It supports an event model that preserves state over HTTP, which benefits line-of-business Web application development.
It uses a Page Controller pattern that adds functionality to individual pages.
It uses view state or server-based forms.
It works well for small teams of Web developers and designers who want to take advantage of the large number of components available for rapid application development.
In general, it is less complex for application development, because the components (the Page class, controls, and so on) are tightly integrated and usually require less code than the MVC model.

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer

ASP.NET Security Architecture Cheat Sheet For Very Busy Architects

alikl — Thu, 19 Mar 2009 12:20:30 GMT

You are an architect. You are sitting in your fancy office thinking about cloud computing and about the higher ground stuff. Suddenly the phone rings, it's your current project manager. "Quick! Come over here, we have a meeting with security department, they have tons of questions and I do not have a clue what they want from me! Our project must ship on time,

by erik ERXON

we cannot afford postponing it anymore. It's your show time, dude, Save me!" - ...."Ehm... OK... I am coming...". You hang up the phone, scratch your head and... take the below cheat sheet with you on your way to the meeting.

Application Security Meeting

From my experience application security meetings are usually hard to manage since the participants do not share common language. Security guys come from infrastructure background and developers usually ... just hate security. There is a communication gap that results in antagonism prolonging the problem instead of solving it. There is the need for common language that everyone understands. The cheat sheet below helped me many times to establish the common ground for fruitful discussion. It is based on JD Meier's epic works:

Have fun.

The Cheat Sheet

Architecture and Design Issues for Web Applications

Building Secure Assemblies

The main threats are:

Unauthorized access or privilege elevation, or both
Code injection
Information disclosure
Tampering

Building Secure ASP.NET Pages and Controls

The main threats are:

Code injection
Session hijacking
Identity spoofing
Parameter manipulation
Network eavesdropping
Information disclosure

Building Secure Serviced Components

The main threats are:

Network eavesdropping
Unauthorized access
Unconstrained delegation
Disclosure of configuration data
Repudiation

Building Secure Web Services

The main threats are:

Unauthorized access
Parameter manipulation
Network eavesdropping
Disclosure of configuration data
Message replay

Building Secure Remoted Components

The main threats are:

Unauthorized access
Network eavesdropping
Parameter manipulation
Serialization

Building Secure Data Access

The main threats are:

SQL injection
Disclosure of configuration data
Disclosure of sensitive application data
Disclosure of database schema and connection details
Unauthorized access
Network eavesdropping

Complimentary questionnaire

Identify threats

Identify vulnerabilities

Common Vulnerabilities

Authentication

· How could an attacker spoof identity?

· How could an attacker gain access to the credential store?

· How could an attacker mount a dictionary attack? How are your user's credentials stored and what password policies are enforced?

· How can an attacker modify, intercept, or bypass your user's credential reset mechanism?

· Are user names and passwords sent in clear text over an unprotected channel? Is any ad hoc cryptography used for sensitive information?

· Are credentials stored? If they are stored, how are they stored and protected?

· Do you enforce strong passwords? What other password policies are enforced?

· How are credentials verified?

· How is the authenticated user identified after the initial logon?

· Passing authentication credentials or authentication cookies over unencrypted network links, which can lead to credential capture or session hijacking

· Using weak password and account policies, which can lead to unauthorized access

· Mixing personalization with authentication

Authorization

· How could an attacker influence authorization checks to gain access to privileged operations?

· How could an attacker elevate privileges?

· What access controls are used at the entry points of the application?

· Does your application use roles? If it uses roles, are they sufficiently granular for access control and auditing purposes?

· Does your authorization code fail securely and grant access only upon successful confirmation of credentials?

· Do you restrict access to system resources?

· Do you restrict database access?

· How is authorization enforced at the database?

· Using over-privileged roles and accounts

· Failing to provide sufficient role granularity

· Failing to restrict system resources to particular application identities

Input and Data Validation

· How could an attacker inject SQL commands?

· How could an attacker perform a cross-site scripting attack?

· How could an attacker bypass input validation?

· How could an attacker send invalid input to influence security logic on the server?

· How could an attacker send malformed input to crash the application?

· Is all input data validated?

· Do you validate for length, range, format, and type?

· Do you rely on client-side validation?

· Could an attacker inject commands or malicious data into the application?

· Do you trust data you write out to Web pages, or do you need to HTML-encode it to help prevent cross-site scripting attacks?

· Do you validate input before using it in SQL statements to help prevent SQL injection?

· Is data validated at the recipient entry point as it is passed between separate trust boundaries?

· Can you trust data in the database?

· Do you accept input file names, URLs, or user names? Have you addressed canonicalization issues?

· Relying exclusively on client-side validation

· Using a deny approach instead of allow for filtering input

· Writing data you did not validate out to Web pages

· Using input you did not validate to generate SQL queries

· Using insecure data access coding techniques, which can increase the threat posed by SQL injection

· Using input file names, URLs, or user names for security decisions

Configuration Management

· How could an attacker gain access to administration functionality?

· How could an attacker gain access to your application's configuration data?

· How do you protect remote administration interfaces?

· Do you protect configuration stores?

· Do you encrypt sensitive configuration data?

· Do you separate administrator privileges?

· Do you use least privileged process and service accounts?

· Storing configuration secrets, such as connection strings and service account credentials, in clear text

· Failing to protect the configuration management aspects of your application, including administration interfaces

· Using over-privileged process accounts and service accounts

Sensitive Data

· Where and how does your application store sensitive data?

· When and where is sensitive data passed across a network?

· How could an attacker view sensitive data?

· How could an attacker manipulate sensitive data?

· Do you store secrets in persistent stores?

· How do you store sensitive data?

· Do you store secrets in memory?

· Do you pass sensitive data over the network?

· Do you log sensitive data?

· Storing secrets when you do not need to store them

· Storing secrets in code

· Storing secrets in clear text

· Passing sensitive data in clear text over networks

Session Management

· Do you use a custom encryption algorithm, and do you trust the algorithm?

· How could an attacker hijack a session?

· How could an attacker view or manipulate another user's session state?

· How are session cookies generated?

· How are session identifiers exchanged?

· How is session state protected as it crosses the network?

· How is session state protected to prevent session hijacking?

· How is the session state store protected?

· Do you restrict session lifetime?

· How does the application authenticate with the session store?

· Are credentials passed over the network and are they maintained by the application? If they are, how are they protected?

· Passing session identifiers over unencrypted channels

· Prolonged session lifetime

· Insecure session state stores

· Session identifiers in query strings

Cryptography

· What would it take for an attacker to crack your encryption?

· How could an attacker obtain access to encryption keys?

· Which cryptographic standards are you using? What, if any, are the known attacks on these standards?

· Are you creating your own cryptography?

· How does your deployment topology potentially impact your choice of encryption methods?

· What algorithms and cryptographic techniques are used?

· Do you use custom encryption algorithms?

· Why do you use particular algorithms?

· How long are encryption keys, and how are they protected?

· How often are keys recycled?

· How are encryption keys distributed?

· Using custom cryptography

· Using the wrong algorithm or a key size that is too small

· Failing to protect encryption keys

· Using the same key for a prolonged period of time

Parameter Manipulation

· How could an attacker manipulate parameters to influence security logic on the server?

· How could an attacker manipulate sensitive parameter data?

· Do you validate all input parameters?

· Do you validate all parameters in form fields, view state, cookie data, and HTTP headers?

· Do you pass sensitive data in parameters?

· Does the application detect tampered parameters?

· Failing to validate all input parameters. This makes your application susceptible to denial of service attacks and code injection attacks, including SQL injection and XSS.

· Including sensitive data in unencrypted cookies. Cookie data can be changed at the client or it can be captured and changed as it is passed over the network.

· Including sensitive data in query strings and form fields. Query strings and form fields are easily changed on the client.

· Trusting HTTP header information. This information is easily changed on the client.

Exception Management

· How could an attacker crash the application?

· How could an attacker gain useful exception details?

· How does the application handle error conditions?

· Are exceptions ever allowed to propagate back to the client?

· What type of data is included in exception messages?

· Do you reveal too much information to the client?

· Where do you log exception details? Are the log files secure?

· Failing to validate all input parameters

· Revealing too much information to the client

Auditing and Logging

· How could an attacker cover his or her tracks?

· How can you prove that an attacker (or legitimate user) performed specific actions?

· Have you identified key activities to audit?

· Does your application audit activity across all layers and servers?

· How are log files protected?

· Failing to audit failed logons

· Failing to protect audit files

· Failing to audit across application layers and servers

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer

Things You Know Now

alikl — Tue, 17 Mar 2009 01:08:34 GMT

Jimmy May, aspiring geek and part time editor in chief for www.PracticeThis.com tagged me for Things You Know Now. The idea behind all this is sharing the lessons learned at hard knock school of life. Or in other words it is about what would I do differently if I had a chance to rewind. Here is my take.

by www.wordle.net

Things I Know Now

Value time. Time is the scarcest resource of all. Vlaue it the most. You'll be amazed how much time can be actually created out of thin air...

Time Is Not Money. Time Is Budget.

Let some balls drop, prioritize. Focus on stuff that matters, ignore the rest.

Prioritize What You Do – Steven Covey Way [The Way That Works].

Invest in your strengths not in your weaknesses. Helps building your brand, helps you to stand out, helps you to be you, a better you, the best.

Find Your Strengths, Know Your Life Purpose

Create your brand. I first heard about it from Kevin. Kevin is successful professional and entrepreneur. I adopted his advice wholeheartedly. I am a big fan of modeling the best.

3 Simple Rules To Become The World’s Greatest Brand [Plus Self Check].

The wider your spread the thinner it gets. This one I learned from Gerald M. Weinberg from his book - Secrets of Consulting: A Guide to Giving and Getting Advice Successfully. The thinner you get the less customers want you.

3 Things Customers Really Want

Build your network. Is not it proven pattern these days, eh? Look at the social revolution all around us - Facebook, Twitter and many more. Pick the brain of the network, become the next greatest mind.

Become The Next Great Mind - Now

Practice Emotional Intelligence. "Emotion Is Your Enemy" – coach John Wooden.

Emotional Intelligence - Core Skills

Become a consultant. Like challenges? Hate cubicles and 9-5 thing?

Consulting - What’s The Deal?

I tag MCS IL team and ACE team blogs. These teams are my most significant source of insights and continuous learning.

What are the Things You Know Now?

This post is made with PracticeThis.com plugin for Windows Live Writer

Distributed Architecture Drawbacks Revealed By Netmon(Bonus - TDS Parser Goes Public)

alikl — Fri, 13 Mar 2009 12:02:49 GMT

Distributed architecture can mercilessly backfire at you. In my case flexible architecture, elegant design patterns, and smart code led to abuse of the flexibility, resulting in very poor performance. Free Microsoft Network Monitor (Netmon) helped to identify the root cause of the

by striatic

performance hit. It showed that over-distributed-ness can cost you in terms of performance.

Customer Case Study

The customer complained about poor response times in his web application. The application's architecture was similar to the Web Application Archetype. Notice Services Agent box that connects your application to downstream services? Our assumption was that the services agents are too chatty causing the performance hit. Netmon only made it clear.

Analysis

We took captures on the application server where the Server Agents are to identify what other downstream servers are accessed. In no time we get very clear picture - the application server was accessing other three downstream resources:

There are two well known ports - 443 and 1433 - so we could safely assume there is communication over SSL/HTTPS and SQL Server. The other one - 1414 - turned out to be MQ.

Next step was to identify which one of the conversations is causing us troubles the most - either by chatty communication or by just long running transaction.

Looking at Time Delta column for HTTPS stateless communications we found nothing exciting regarding the latency:

For MQ communications we used magic ContainsBin(FrameData, 0,"StringToFindGoesHere") to identify XML messages going back and forth over MQ transport. For example, to find the beginning of the XML message we used the following filter:

Similar technique was used to correlate request and response XML messages.

To identify SQL communication we used shiny new TDS parser available for free download on Codeplex - SQL Parser in Latest CodePlex Package. I particularly like this one, it shows SQL Server communication without using SQL Server Profiler:

Conclusion

Lessons learned:

Distributed Architecture can mercilessly backfire at you by its distributed-ness. Use Distributed architecture to solve problems vs introducing new ones.
Elegant and flexible design can be abused resulting in poor performance. Review code to avoid the abuse.
Low level network monitoring tools such as Netmon can quickly reveal over-distributed-ness. Use it! It is free.

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer

WinDBG Walkthrough - Dump Values Of DataSet or DataTable

alikl — Mon, 09 Mar 2009 09:44:02 GMT

This walkthrough is completely based on Johan's post WinDBG+SOS: Getting at the values in a DataTable. I have created this one to help me do the job in straightforward way next time I hit similar problem. Joan also offers few scripts for process automation - recommended.

by glennharper

Customer Case Study

The customer complained about potential memory leak. Following the procedure described in Identifying Memory Leak With Process Explorer And Windbg we realized that we are dealing with static variable that grows in unlimited way. This assumption is based on the fact that after running !gcroot on the leaking type we get the following:

HANDLE(Strong):23b1cd0:Root:0x12571730.....

After reviewing Tess' .NET Debugging Demos Lab 7: Memory Leak - Review we found the following which made us believe we are dealing with static variable:

DOMAIN(001CCE68):HANDLE(Strong) - Strong reference, Typically a static variable

To identify what this static variable is we needed to dump its values. The variable was a DataTable. I have not found a straightforward way of dumping contents of DataTable. This is the walkthrough that does the job.

Summary of steps

Step 1. Dump DataTables
Step 2. Dump DataTable
Step 3. Dump columnCollection
Step 4. Dump list object
Step 5. Dump raw memory - dd command
Step 6. Dump DataColumn
Step 7. Dump storage
Step 8. Dump values
Step 9. Bonus - automation

Step 1. Dump DataTables

The objective of this step is identify all DataTable object and pick the one of the interest

0:000> !dumpdatatables
DataTable       Rows    Columns    DataSet nextRowID ColumnCount
-----------------------------------------------------------------------------------------------
0x024dc948 0x024dcbc8 0x024dcdec 0x064f2400         1         2
0x025156b8 0x02515938 0x02515b5c 0x02515478         1         7
...

0x0e5b9ce4 0x0e5b9f64 0x0e5ba138 0x0e55a338       428         5
0x06510e54 0x065110d4 0x065112a8 0x064f2400     1,359         7
0x0e5778f0 0x0e577b70 0x0e577d44 0x0e55a338     1,359         7
0x0a55d270 0x0a55d4f0 0x0a55d6c4 0x06a62620 4,194,305        10
Total 61 DataTable objects

Step 2. Dump DataTable

The objective of this step is identifying the address of columnCollection of the DataTable.

0:000> !do 0x0a55d270
Name: System.Data.DataTable
...
0x176c1560 0x40003f2 0x18 CLASS instance 0x0a55d6c4 columnCollection
...

Step 3. Dump columnCollection

The objective of this step is identifying the address of list object of the columnCollection.

0:000> !do 0x0a55d6c4
Name: System.Data.DataColumnCollection
...
0x176c5ffc 0x4000377 0x8 CLASS instance 0x0a55d6f8 list
...

Step 4. Dump list object

The objective of this step is identifying the address of _items object.

0:000> !do 0x0a55d6f8
Name: System.Collections.ArrayList
...
0x79ba75ec 0x4000362 0x4 CLASS instance 0x0a55d710 _items
...

Step 5. Dump raw memory - dd command

The objective of this step is identifying addresses of DataColumn objects.

0:000> dd 0x0a55d710
0a55d710 01e5209c 00000010 79b92eec 0a55d854
0a55d720 0a55d8d4 0a55d954 0a55d9d4 0a55da54
0a55d730 0a55dad4 0a55db54 0a55dbd4 0a55dd74

Step 6. Dump DataColumn

The objective of this step is identifying the address of storage object.

!do 0a55d854
Name: System.Data.DataColumn
...
0x176c69e8 0x400036b 0x48 CLASS instance 0x0a55df40 storage
...

Step 7. Dump storage

The objective of this step is identifying address of value object.

0:000> !do 0x0a55df40
Name: System.Data.Common.Int32Storage
...
0x176ecc8c 0x4000729 0x10 CLASS instance 0x4dbd0030 values
...

Step 8. Dump values

The objective of this step is dumping the actual values, finally...

0:000> !do 0x4dbd0030
Name: System.Int32[]
...
Content: 8,388,608 items

Ouch, it is array.... !do -v will dump its values, but I am afraid it is not a good idea doing it for 8 million items here ;)

Step 9. Bonus - automation

The objective of this step is automate the process of dumping values (Step 8):

Create a text file named dumparray and save it in WinDBG directory. The contents of the file are:
- .foreach ( o { !do ${$arg1} -v -short }) { !do ${o} }
Run the following command in WinDBG to dump the values of the array
- $$>a< dumparray 0x4dbd0030

Related Materials

This post is made with PracticeThis.com plugin for Windows Live Writer