Alik Levin's : Practices

Consulting And Security Reviews - How To Get Everyone Onboard

alikl — Mon, 24 Nov 2008 21:56:40 GMT

Security reviews are a respected methodology. People know about them, and probably use them semi-regularly. Ask anyone if security reviews are important, and they would all say yes. Ask them if they do it regularly, and most would say no.

Related Materials

This post discusses the obstacles to implementing security reviews and the secrets to holding effective and successful regular security reviews.

Who’s Involved and What Motivates Them?

Suppose a large enterprise, Contoso Banking, is building its next generation Internet facing web site. Who’s involved and what motivates them?

Project sponsor. The project sponsor wants to ship the project to the end user’s requirements.
Project manager. The project manager wants to ship the project on budget and on time.
Development manager. The development manager wants to ship working version with less bugs as possible.
Architect. The architect wants to create cutting edge architecture with some new technology TLA’s (three letter acronyms).
Development Lead. The development team lead wants to build designs to proven patterns and practices saving on dev management costs.
Developers. The developers want to build the feature and hit code complete mark.
Systems engineers. The IT system engineers want to support bug free systems that do not require maintenance (or as less as possible).

Who Cares About Security?

Now, who cares about security of the project?

Common sense tells us security is the domain of the security guy’s, say, the Chief Security Officer.

Consider the following (not uncommon) scenario. The Chief Security Officer tells the team that the system needs to support two factor authentication due to regulatory compliance. That would usually result into the following reactions:

Project sponsor will need to tell the customers that web access won’t be as smooth as planned, since they will need to carry smart cards. End users usually get upset with such news. So the project sponsor is unhappy.

Project manager understands that with such requirement she will never ship it neither on budget nor on time.

Development manager freaks out imagining how many more bugs this requirement brings in.

Development team lead after quick search on the web finds designs that require special skills, tools, and methodologies. More sleepless nights ahead.

Developer never used crypto in any of her projects and now she needs serious ramp up on this cryptic topic. She is seriously considering moving on to a better project.

A Proven Pattern for Security Participation

Let’s ask who cares about security once more? All of the project participants suddenly care, but most of them are not pleased with the security focus. Working with my customers I found a proven pattern to get everyone onboard with security. The pattern can be boiled down to the following principles:

Speak the language people understand.
Understand motivations of the team.
Optimize security according to the context.
Be consistent.
Be effective.

Speak the language people understand

This might sound funny but what I witness in the field is that people speak different languages, they might all speak their native English, Hebrew, or Russian, but in the end, even when communicating with the same language, no one understands each other. Consider another example, the unexpected security defect.

Tackling the unexpected security defect

Suppose the security tester proudly presents a Cross Site Scripting vulnerability to senior project stakeholders. It goes like this:

- “I found Cross Site Scripting vulnerability in your web site”, - Security Tester happily announces.

- “So?...”, – Project Sponsor asks honestly.

- “So?!?!, Let me repeat what I just said – I found Cross Site Scripting vulnerability in OUR web site”, - Security Tester repeats honestly confused.

- “So?.....”, - Project Sponsor asks even more confused.

And it goes on and on. Until Project Sponsor asks simple question about the subject he really cares

- “How are the end users affected?”.

- “Their identities can be stolen and abused” – Security Tester explains with huge relief.

- “Oh my!!”, - now Project Sponsor understands the severity of the issue, then he continues – “What should be done to mitigate this?”

- “You need rewrite all web pages, with the right encoding, depending on where the data appears in the HTML output” – answers the Security Tester.

The Project Manager comes to life, he understands that he is not going to hit the deadline. He looks at Development Lead asking him silently with his rolling eyes:

- “How long will it take?”

- “Well.. we need to extend the schedule by… 3 months as our developers are not that proficient with such code”, - the Development Lead answers.

Everyone is upset. Security Tester comes to the rescue:

- “Let me suggest the following. You run this simple search and find all occurrences of the issue, and use a common library to make the encoding a simple one line fix in each case”

Project Manager sees the light in the end of the tunnel. In the end he might hit the deadline.

Speak the language that people understand.

"No matter how it looks at first, it's always a people problem." - The Second Law Of Consulting by Gerald M. Weinberg

Optimize security according to the context (what’s-in-it-for-me in action)

Security means different things to different roles. Understand motivations and show what’s in it for me to each one to make everyone buy in.

Project sponsor sees security as the main reason to make end user happy or unhappy. Show how a security bug can reveal the end user’s information. Show how security feature alienates end users. Show how security feature actually brings in more end users.
Project manager sees security feature as the main reason to not hit the deadline or as a reasons for extra expenses. Show how to easily implement security fixes, show how not implementing the fix will bring even more expenses and result in missing the deadline.
Development manager does not see security vulnerabilities as bugs. Show him or her sample penetration testing report that looks very familiar to the bug reports. Such reports usually get the project from staging environment back to the development to fix the vulnerabilities.
Development team lead cares to build proven designs. Point him or her to patterns & practices web site where the proven designs live. Save time and use proven practices. Make the development team leader a hero.
IT System Engineer sees security as more incident calls, more sleepless nights as a result of incident management. Show IT System Engineer how fixing the security bug reduces incident management burden.
Developer hates security. The code is tricky and the fixes are always urgent. Show Developer that security is actually very simple and can be easily implemented like this.

Be consistent

Consistency is the foundation of effectiveness, which will be discussed later on. Frames of core principles help a lot to be consistent. I found Security Frame very useful. It guides me and the rest of the involved parties, Project Sponsor, Project Manager, Development Manager, Development Team Lead, Developer. It creates a common language that everyone understands. Notice how the Security Frame can be used either for Threats that are relevant to Project Sponsor or for Countermeasures that are relevant to Development Force and more Technical audience.

Be effective

If you speak common a language, you get everyone to buy in. It is show time, time to deliver.

How do your effectively create security requirements document?
How do your effectively build secure architecture and designs or inspect those that others created?
How do you effectively guide developers for security?
How do you effectively conduct security code reviews and deployment inspections?

The answer is simple; you follow proven patterns and practices. Fortunately, patterns & practices PAG team, led by J.D. Meier, has built fantastic tool, Guidance Explorer that maintains more than 3,500 easily consumable items on security, performance, and Visual Studio topics. J.D. also maintains his SecurityGuidanceShare.com wiki where he chunks the guidance in more consumable way. Guidance Explorer allows quick searches, direct access to the information according to Security Frame. But two features that bring me effectiveness is its ability to create Word documents and ability to be consumed via any RSS reader.

Practices

Apply proven practices. Avoid approaches that do not work. Do more in less time.

The highest return on investment is achieved when security activities match specific phase of the development lifecycle. These activities must produce results that are relevant to key personas of the phase.

The following table summarizes personas and focused deliverables according to development lifecycle:

Phase	Key Persona	Activity	Deliverable
Envision and requirements gathering	Project Sponsor	Security requirements discussed Helpful resources: - STRIDE Explained - Visualizing – use Hello Secure World - Use Guidance Explorer to effectively build more technical requirements.	Key stake holders buy in for Security. Best result achieved when key project member send out an email to the whole team
Architecture and Design	Architect, Development Leads	Compile Security Design Guidance. Conduct Threat Modeling using Threat Modeling Template Use Guidance Explorer to quickly build guidance and inspection documents.	Threats identified and prioritized.
Coding/Building	Developers	Cannibalize ASP.NET 2.0 Internet Security Reference Implementation to effectively write more secure code – it is endless source of proven Security Code nuggets Bookmark ASP.NET 2.0 FAQs to address security question during the development Conduct effective Security Code Review asking questions from Security Question List: ASP.NET 2.0	Security bug list including priorities and how-to’s for fixtures.
Deployment, Stabilizing	IT System Administrators	Stream line security deployment inspection using this step-by-step guide	Security deployment bug list including priorities and how-to’s for fixtures.

Driving for effective security reviews

Ideally all these activities should be conducted throughout the whole development lifecycle. In the real world projects this happens rarely. Nevertheless, effective security inspection techniques prove that security bar can be constantly raised. One thing to keep in mind that security bugs can be revealed at any development phase but the cost of fixture climbs exponentially as the projects approaches production environment. It is all about risk management.

This post is made with PracticeThis.com plugin for Windows Live Writer

ASP.NET Performance By Design: Takeaways From PDC

alikl — Mon, 03 Nov 2008 12:06:35 GMT

During PDC, there were 5 dedicated sessions for improving performance in .Net titled "Performance By Design". The presenters are Rico Mariani, Vance Morrison, and Mark Friedman. These guys live and breathe performance. Although I did not make to get to PDC, I was following after what's going on there. Fortunately, Vance published all slides on his blog. These are my takeaways from the slides he published.

Performance by Design Intro

By Rico Mariani

My favorite is the first slide that sets the expectations - Performance is about Culture:

Part 1 - Teaching Performance Culture
Part 2 - General Topics about Managed Code

I am so happy to see it! There is a perception about performance in the field - it is about tools. There is another perception - "we can fix performance after we build the app". I've been through few situations where such approach resulted in extra budget to "fix the performance issues", missed deadlines, and frustrated customers (and stakeholders). Rico says there are very few rules to follow:

Rule #1 - Measure
Rule #2 - Do your homework

Rico explains Performance Culture very simply but in powerful way:

Budget. An exercise to assess the value of a new feature and the cost you’d be willing to pay:
- Begin by thinking about how the customer thinks about performance
  - Responsiveness
  - Capacity
  - Throughput
  - Cost of Entry
- Identify the resource the customer views as critical to this system
- Choose the level of performance we want to deliver (do we need an “A+” or is a “D” good enough)
- Convert this into what resource usage needs to be to succeed
- Don’t think about the code, think about the customer
Plan. Validate your design against the budget, this is a risk assessment
- You can’t plan without a budget, so get one
- Use best practices to select candidate algorithms
- Understand their costs in terms of the critical resource
- Identify your dependencies and understand their costs
- Compare these projected costs against the budgets
- If you are close to budget you will need much greater detail in your plans
- Identify verification steps and places to abort if it goes badly
- Proceed when you are comfortable with the risk
Verify. Measure the final results, discard failures without remorse or penalty, don’t make us live with them
- The budget and the plan drive verification steps
- Performance that cannot be verified does not exist
- Don’t be afraid to cancel features that are not meeting their budgets – we expect to lose some bets
- Don’t inflict bad performance on the world

Bottom line - performance is about culture - tools only support it. Performance cost you either way - either you invest in it or not. Manage it as you'd manage any other risk.

My Related Posts

CPU Optimization for .NET Applications

By Vance Morrison

Vance supports Rico's Rule #1 - Measure. He provides several practical options:

Low Tech: System.Diagnostics.Stopwatch
Medium Tech: MeasureIt (Automates Stopwatch)
Medium Tech: Use ETW (Event Tracing for Windows)
Higher Tech: Sample Based Profiling.

Vance admits that ETW (Event Tracing for Windows) "...is not easy to use End-to-End:

We are working it
We will have more offerings in next release
It is a complete talk just by itself
If you need logging NOW you CAN use EventProvider, xperf
If you can wait a year, it will be significantly nicer.
If there is interest, we can have an ‘Open Space’ discussion"

My biggest takeaway from this session is that I know unforgivably too little about ETW - need to ramp up myself on it.

My Related Posts

ASP.NET Performance: High CPU Utilization Case Studies And Solutions

Memory Optimization for .NET Applications

By Vance Morrison

My favorite slide is #14:

"Fixing Memory Issues: Prevention!

Fixing Memory Issues is HARD
- Usually a DESIGN problem: Not Pay for Play
- Using every new feature in your app
  XML, LINQ, WPF, WCF, Serialization, Winforms, …
- Initialize all subsystems at startup
GC Memory Are your Data Structures
- Tend to be designed early
- Hard to change later
Thus it Pays to Think about Memory Early!"

What does it mean to think about memory early? The slide deck is packed with explanation about the measurement tools and the theory behind GC. I'd also expect to see few code samples - both patterns and anti-patterns. Mid-life crisis drill down would work for me.

My Related Posts

Parallelism for .NET Applications

By Vance Morrison

The only takeaway (beside good tips) is that Parallel Computing is getting into mainstream. From the field I see more and more demand for multithreaded work, I observe customers buying strong servers but do not utilize it to its capacity while asking to improve performance. I liked the structure of the session, especially "How .Net Can Help..." slides that offer practical tips and implementation suggestions to improve performance by parallelism.

My Related Post

ASP.NET Web Application Performance

By Mark Friedman

This is really huge slide deck - 110 slides... that covers tons of stuff.

I was looking for unusual stuff. I found it. Turns out Visual Round Trip Analyzer (VRTA) was released to the web. The tool was internal for some time and now it is available for the masses. Good news!

I also liked the slides about ETW for IIS. Especially the ETW Trace reporting tool , which is Excel ;). One statement made me feel alert - "Caching the same data in multiple places tends to be wasteful". Not the statement itself rather the relation to Velocity, which is MS distributed cache mechanism. Need to dig deeper. Overall, the slide deck is packed with very useful and practical recommendations spanning multiple technologies like ASP.NET, AJAX, and WCF.

My Related Posts

This template is made with PracticeThis.com plugin for Windows Live Writer

SharePoint Performance : Design, Implement, Deploy For Fast Experience.

alikl — Tue, 23 Sep 2008 10:32:41 GMT

Rico Says : Performance by Design. I say : Yeesh!! I am a big fan of the idea that Performance should be integrated into the whole dev lifecycle. As I am getting more involved with Sharepoint I become more confident applying same approach to Sharepoint implementation with Performance in mind. This post summarizes my collection of performance resources for Sharepoint.

I must thank Rahul from ACE Team for sharing some of the above nuggets with me.

This post was made with PracticeThis.com blog post template plugin for Windows Live Writer

.Net Performance And Security Knowledge Management (Including Sharepoint Template For Download)

alikl — Tue, 16 Sep 2008 00:24:50 GMT

Use MS Sharepoint to manage your .Net Security and Performance Engineering (or any other) knowledge.
Applying simple steps you can create a very powerful KB (Knowledge Base) to serve your needs. It will allow you find very quickly relevant knowledge either using categories or keyword search. You can package your KB

and redeploy on other environments too. Interested? Read on.

Customer Case Study

All of my customers, without exception, at some point realize they need a central knowledge management solution where they would maintain relevant information – usually .Net Performance and Security in my case. The need is dictated by demand to quickly create and share knowledge across the teams.

MS Sharepoint 2003/2007 is an excellent choice to very quickly set up a team site where all relevant info nuggets can be maintained in a way that is easy to consume.

Analysis And Implementation

All of my customers, without exception, use either Sharepoint 2003 or Sharepoint 2007. Creating simple Sharepoint team site was a natural choice.

The content was extracted from Guidance Explorer. These are the steps I have taken to implement my .Net Performance and Security Knowledge Management solutions with Sharepoint 2007:

Create Team Site. During this step you create simple Sharepoint Team Site similar as described here - SharePoint Tutorial: How to create a team site
Create Category Custom List. During this step you create custom list that will serve as a category filter for the content.

Create Document Library and Upload the Content. Create document library, where the content will reside. Make sure to create another column for the library called Category. This will serve you to filter the content by Category.
Categorize the Content. Upload the content and categorize it using Category column.

Create Web Part Page for Easy Consumption. Create a Web Part Page and add two web parts – the Category list, and the Content library. Connect the two so that Category list will provide the data to the library.

Your end result should look similar to the following. Use radio buttons to filter the relevant items and find relevant information gold nugget quickly. You can also use a keyword search that is built into Sharepoint.

Conclusion

From my field observation there are two strong trends with enterprise customers:

Looking for a ways to leverage existing investments and maximize ROI.
Looking for a ways to make a developers more effective and efficient.

Using Sharepoint 2003/2007 and Guidance Explorer content provides a great starting point of building your own Knowledge Management solution in no time.

See online demo here - Security Engineering QA. Try clicking on radio buttons on the left.

Download Sharepoint 2007 site template including the content.

Related Materials

This post was made with PracticeThis.com blog post template plugin for Windows Live Writer

patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF - BETA Is Out

alikl — Thu, 05 Jun 2008 06:57:27 GMT

patterns & practices team has just released a beta version of WCF Security Guide on Codeplex. Download the guide at http://www.codeplex.com/WCFSecurityGuide.

Original announcement by J.D. Meier, the man behind the effort, is here - New Release: patterns & practices WCF Security Guide (BETA)

ASP.NET Performance Engineering - Stress Test Your Architecture, Design, And Code

alikl — Mon, 05 May 2008 13:31:00 GMT

Field experience proves - the earlier performance is tackled in development lifecycle the better results achieved. Below are most frequent practices that were most helpful in my engagement with the customers.

Architecture/Design phase

Set performance scope using Performance Frame
Set performance objectives - Performance Testing Objectives Document Template
Generate and distribute performance engineering principles document to the dev team (this sample was generated using Guidance Explorer)
Conduct performance design inspection (this sample document was generated using Guidance Explorer)

Coding phase

Conduct static code analysis for performance issues - Performance Code Review Tool – Practices Checker
Conduct manual performance code inspection using checklist document (this sample was generated using Guidance Explorer)
Analyze program's flow early in development - Use Sysinternals DebugView To Diagnose The Application

Unit testing phase

Conduct performance smoke test for your application - Stress Test ASP.NET Web Application With Free WCAT Tool
Analyze IIS behavior - Identify ASP.NET, Web Services, And WCF Performance Issues By Examining IIS Logs
Analyze Database behavior using SQL Server profiler - How To: Use SQL Profiler and Using SQL Server Profiler
Analyze Client Side JavaScript behavior - Profiling JavaScript With Ajax View Tool: Spot Poor Performance Client Script In No Time
Analyze ASP.NET behavior - Use Performance Counters Templates To Streamline Performance Analysis
Analyze HTTP traffic from end user's angle - Improve Web Application Performance By Reducing Number Of Http Requests - Fiddler To The Rescue

Performance Sins (performance anti-patterns)

My related posts

patterns & practices WCF Security Guidance Project - live on Codeplex

alikl — Wed, 02 Apr 2008 10:53:10 GMT

patterns & practices has recently released WCF Security Guidance Project. JD, the program manager behind the effort, has been blogging about it too.It is evolving project but the initial content is fantastic already. It has Application Scenarios, Video Index, but my favorites are How-To's:

Pure love.

Performance Development Lifecycle (PDL) Session Materials

alikl — Wed, 12 Mar 2008 00:16:20 GMT

Yesterday I gave a talk about the subject during Performance Open House

First off, thanks for attending my talk. The materials are published here.

Enjoy.

Performance Sin - Using Exceptions To Control Flow

alikl — Sat, 02 Feb 2008 16:19:50 GMT

Want to spot coding anti-patterns from performance perspective without actually looking in the code?

One of the common performance coding anti-patterns I’ve noticed lately is using Exception Handling to control program flow.

The anti-patterns

Most common anti-pattern is just using exception handling to control flow, in some cases it was even nested exception handling – that means the exception is thrown anyway.

In other cases there were empty “catch” exception statements. That means that precious cycles .Net consumes to handle the exception spent for nothing.

The last case was where exception handling was done to catch simple types parsing. That was done on each request.

How to identify Exception Handling anti-pattern

To identify exception handling anti-pattern set “.NET CLR Exceptions/# of Excepts Thrown” perf counter. If you see the graph constantly climbs on each request chance are Exception Handling is used to control the flow which is performance anti-pattern:

Look at the relevant source code to spot try/catch blocks. If the source code is not available use Reflector to reverse engineer the compiled assemblies into C# sources – I used it very successfully during my latest performance review.

Best practices

Do not use exception handling to control the flow. Try to reduce catching exceptions to only most upper component/class. Catching exceptions is expensive from both CPU and memory perspective.

Use TryParse method instead Parse method to avoid throwing exceptions .

Use simple "if" statement to check for nulls.

Tools

Use perfmon to spot the anti-pattern with Exception handling. Run perfmon in command line and add “.NET CLR Exceptions/# of Excepts Thrown” counter. Then run few scenarios to see the graph.

Use Practice Checker for static code analysis. The tool scans the code and reveals excessive usage of exception handling.

My related posts

Performance Code Review Tool – Practices Checker

Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings

alikl — Thu, 24 Jan 2008 16:38:46 GMT

How to streamline the process of capturing security flaws during security code review? How to save time and avoid switching between the tools? How to stay focused?

In this post I will show my simple technique to capture security flaws using Bookmarks in Visual Studio.

Create bookmark folders. Hit Ctrl + K and then Ctrl + W to bring Bookmarks window up. Create 10 folders according to security frame categories:

Focus on one category. Grab security checklist document you created using Guidance Explorer. Choose one category from the security frame, Authentication for example, and inspect the code manually. Do not pay attention to anything else on your way but Authentication issues. One category a time.

Bookmark security bugs. Once you find security bug hit Ctrl + K and then Ctrl +K again. You just created the bookmark. Drag it into the appropriate folder in Bookmarks window. Move on. When you finish the inspection using your checklist you should have something like this:

Copy to the report in one run. Just run through the bookmarks and paste the findings to your final report. One run. Mechanical work. Done. Peace of mind.

My related posts

Design For Operations [DFO] – Problems And Solution Frame

alikl — Sun, 20 Jan 2008 20:02:06 GMT

patterns & practices team maintains Design for Operations [DFO] project on codeplex. The goal of the project focuses on:

“Developing tools and guidance to help enable the development of highly manageable applications on the Windows platform.”

This post summarize my understanding of the project’s problems and solutions frame. Most of the content is direct copy paste from more than 300 pages Manageability Guidance document found here and few interpretations of mine.

Problems Frame

Active players and their concerns

End User.
- Why it is not working?
- Why it works so slow?
- Why I am not allowed to do this operation?
Operator.
- How do I configure this?
- Why it failed without alerts?
- Where all alerts are sent?
- How do I roll back the version?
- What should I do when I se this alert?
Developer.
- How come end users do not understand exception message? – it is simple call stuck dump!
- What do I do with this “Unspecified error” thing?
- What component throws this exception?
- Here is the patch – just drop it to fix the problem.

Operations Challenges

How do I know what is the source of the incident? For example, “It is IIS authentication”.
How do I get detailed information regarding the incident? For example, “SPN is not configured for IIS Application account”.
How do I recognizes the trends that usually lead to incident? “Yesterday we had 10% CPU utilization and today it is 20% - it must mean something”.

Solution Frame

Representing Applications as Managed Entities

A managed entity is any logical part of an application that a system administrator needs to configure, monitor, and create reports about while managing that application or service. Examples of managed entities are a Web service, a database, an Exchange routing group, an Active Directory site, a computer, a server role, a network device, a hardware component, or a subnet.

Model Comprehensive Management Models

Creating a comprehensive management model consists of modeling in a variety of different areas to provide a total system view, including the following:

Configuration modeling. This involves encapsulating all the settings that control the behavior or functionality of an application or system component.
Task modeling. This involves cataloging the complete list of tasks that administrators have to perform to administer and manage a software system or application.
Instrumentation modeling. This involves capturing the instrumentation used to record the operations of a system or application. Instrumentation provides information to the operations team to increase understanding about how the application functions, and to diagnose problems with an application.
Health modeling. This involves defining what it means for a system or application to be healthy (operating normally) or unhealthy (operating in a degraded condition or not working at all). A health model represents logically the parts of an application or service the operations team is responsible for keeping operational.
Performance modeling. This involves capturing the expected baseline performance of an application. Performance counters can then be used to report and expose performance on an ongoing basis, and a monitoring tool can compare this performance to the expected performance.

Building Effective Health Models

An application is considered healthy if it is operating within a series of defined parameters. A number of factors may result in a change in application health, including the following:

Change in application configuration
An application update
A change in an external dependency
A hardware change
A network change
Bad input to the application
Scalability problems
Operator error
Change in deployment
Malicious attack

Steps to handle the problem

Detect a problem.
Verify that the problem still exists.
Diagnose the cause(s) of the problem.
Resolve the problem.
Verify that the problem was resolved.
[My addition] Log the incident and convert it into Knowledge Base gem.

Conclusion

There are few key terms mentioned above - "Modeling", "Design", "Building", "Maintain", "Testing". To me it is absolutely clear that Design For Operations is no different from Security Development Lifecycle or Performance Development Lifecycle. "Operations" is just another important non-functional requirement that needs to be taken throughout the whole development lifecycle to be successfully implemented and deployed in production. It had to be called Operations Development Lifecycle.

My related posts

Create Your Own Guidance Explorer Items Inside Outlook 2007

alikl — Thu, 10 Jan 2008 07:52:54 GMT

Want to create your own nuggets of wisdom? Want it to look and feel like patterns&practices nuggets of wisdom look and feel? Want to reuse it, mix and match with existing ones? It is easy and fast with Outlook 2007.

I will show how I extend my knowledge base with a snap using Outlook 2007’s Quick Parts feature and predefined item templates that come with patterns&practices Guidance Explorer [GE].

I must thank Dor Rotman who pointed me to Quick Parts feature.

Summary of steps

Step #1 – Create Quick Parts templates
Step #2 – Compose new items based on the templates
Step #3 – Test your work

Following section describes each step in details

Step #1 – Create Quick Parts templates. Start GE – refer to Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007 for details. Right click on “My Library” node in the treevew on the left and choose “Question and Answer” template:
Highlight entire text in the editor and copy it into clipboard [ctrl + C]. Switch to Outlook 2007. Click on any folder in the treeview. Press Ctrl + Shift + S to bring up new “Post in This Folder” and paste the text in the clipboard. Add attributes part to the end – you can copy and paste it from existing GE items

While in the post, highlight the entire text [Ctrl + A] and click on Insert tab, then click on “Quick Parts” ribbon to expand it. Click “Save Selection to Quick Part Gallery” found in the bottom. Give it a name “Question & Answer”, create new category “GE” and hit OK to save it as a Quick Part template:

Close the post – do not save it.

Create few other templates following the procedure.

Step #2 – Compose new items based on the templates. Switch to Outlook 2007. Click on “Guidance Explorer Library” folder found in Favorites Folder [I assume you followed instructions in Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007]. Press Ctrl + Shift + S to bring new “Post in This Folder”. In the Subject line type “How To Call Police”. Click on Insert tab and then click on “Quick Parts” ribbon to expand it. Locate “Question & Answer” quick part you just created in Step #1 and click it. The content of the part fills in into the body of the post. Modify it to your needs, make sure to update the category found under Attributes:

Press Ctrl + Enter to post it to the folder.

Step #3 – Test your work. Click on “Security” folder found in Favorite Folders, you should see the newly created item there:

You’ve just created new how-to item that is part of your own GE library managed inside Outlook 2007

Consume patterns&practices Guidance Explorer Via RSS Using Outlook 2007

alikl — Fri, 04 Jan 2008 00:43:00 GMT

patterns&practices recently released new version of Guidance Explorer [GE]. One of the most important addition was enabling RSS on the online GE store. What does that mean? It means you can consume distilled security, performance, and Visual Studio wisdom in any RSS reader of your choice. It means you can leverage familiar environment to consume close to 4000 technical gold nuggets.

This post describes how to set up RSS feed inside Outlook 2007 to read GE’s content.

Summary of steps

Step 1 – Download latest GE bits
Step 2 – Create designated offline PST file
Step 3 – Subscribe to GE’s RSS feed in Outlook 2007
Step 4 – Test drive GE’s content using Outlook 2007

Next section describes each step in detail

Step 1 – Download latest GE bits. Navigate to GE’s releases page and review latest release notes. Also review GE’s FAQ’s. Download latest release – it appears in upper right corner of the page. Extract downloaded zip file and navigate to bin folder. Double click GuidanceExplorer.exe file. GE appears on your screen.
Step 2 – Create designated offline PST file. Switch to Outlook 2007. Open “Data File Management…” found in “File” menu. Click “Add…” in “Data Files” tab to create new PST file. Name it GE [or whatever you like]. Saving GE’s items in dedicated offline PST file will keep your Outlook’s online store from overflowing and it is easier to back up too.
Step 3 – Subscribe to GE’s RSS feed in Outlook 2007. Switch to GE. Right click on “patterns & practices Library” node in GE and choose subscribe to RSS feed:

Internet Explorer will open and will try to display the feed. Do not get scared by the message telling you that IE cannot show the feed as follows:

Just grab the URL from the address bar – highlight it and copy it to clipboard [ctrl+C]. Switch to Outlook 2007. Right click “RSS Subscriptions” node and choose “Add a New RSS Feed” as depicted below:

Paste [ctrl+V] the URL from the clip board into the dialog and hit OK. Hit “Advanced…” button in the next dialog box and configure the feed to sore the items inside the newly created PST file:
Step 4 – Test drive GE’s content using Outlook 2007. After Outlook 2007 finishes downloading the items you can test drive familiar functionality such as instant searching or forwarding the items as an emails.

Heaven.

My related posts

Related materials

JD Meier on Guidance Explorer

VS 2005 Web Application Project - Resources

alikl — Wed, 05 Dec 2007 10:29:04 GMT

It is a bundle of resources for VS 2005 Web Application Project feature. It should explain its advantages and differences over Web Site Project that was introduced in VS 2005 and not available in VS 2003

Use DIR Command To Generate List Of Files And Store It In File

alikl — Sat, 01 Dec 2007 17:16:50 GMT

DIR /S /B /A:-D

I use simple DIR command to generate file lists. It serves me in many scenarios. For example, I use it to generate .Net assemblies list when I conduct preliminary scan as part of code inspection process. Here are the explanations to the switches:

/S - search sub folders
/B - bare format, no summaries and headings
/A:-D - no directories, files only

To save generated list of files into text file simply add >C:\myfileslist.txt. The resulting command would look as follows:

DIR /S /B /A:-D *.DLL >C:\myfileslist.txt

My related posts: