ידיד טוב שלי - ג'ימי מאיי פירסם פוסט מדהים של תדמית של שיפור ביצועים ומציאות:Perception, Reality, & Incrementally Tuning World-Class Applicationsהפוסט מלא ב-Passion (לא פחות) וקראתי אותו בכיף.הפוסט מבוסס על התפיסה שאד גלאס שיתף לגבי שיפור של 20% (גם קולביס התייחס לזה).הנה שני סיפורים אישיים שלי בנושא. מתוך: CS193H High Performance Web Sites יום אחד נקראתי לעזור ללקוח לשפר ביצועים של מערכת ה-Web שלו. כאשר התחלתי לתחקר מה הבעיה התברר כי נדרש שיפור ביצועים ב-50%. כבר נשמע לי אתגר. כאשר נאמר לי שמדובר על המאמץ שנמשך חודשים ארוכים אז התחלתי לחשוב שאולי כדאי לוותר......
Have you noticed that little slogan in the bottom of p&p logo?
"proven practices for predictable results"
When I landed in Seattle for Another Breathtaking Microsoft Convention I called my precious wife to tell her I am OK. What I heard in response was cry and she was telling me that she was involved in serious car wreck. I can recall now that first thing I asked was "Were you wearing safety belt?" and when I heard "yes" I could estimate what could happen to her. I could not be sure about her explanations since she could be under shock, but since she applied proven...
I was blogging lately about security tools (see Most Powerful Security Tool). For some reason there is perception that security tools are about scanning, intercepting, cracking, and tampering - in other words, something reactive.
To me security tool is something that supports Security Engineering as the whole and can be anything from document templates to simple checklists. But my favorite is of course Guidance Explorer (see patterns&practices Guidance Explorer) that constantly gets updates (see He Who Doesn't Ask - Just Doesn't Get). Today it contains about 1000 prescriptive items for security and performance.
I've used it for the following scenarios:
.http://msdn2.microsoft.com/en-us/library/ms188354.aspx "In SQL Server 2005 you can define the execution context of the following user-defined modules: functions (except inline table-valued functions), procedures, queues, and triggers. By specifying the context in which the module is executed, you can control which user account the SQL Server 2005 Database Engine uses to validate permissions on objects that are referenced by the module. This provides additional flexibility and control in managing permissions across the object chain that exists between user-defined modules and the objects referenced by those modules. " I think it is AWESOME!!! With security thing we have couple of principles,...
You can build your own application firewall Stateful Web Application Firewalls with .NET http://www.awprofessional.com/articles/article.asp?p=694855&f1=rss&rl=1 or even reverse proxy Simple HTTP Reverse Proxy with ASP.NET and IIS http://www.codeproject.com/aspnet/HTTPReverseProxy.asp Cheers
"The log-in system used by Nordea has been the target of much criticism during recent months. Users log in to their accounts using their date of birth, a standing four-digit security code and a one-time code." Building your own custom authentication system instead using industry proven one - recipe for the above. Here are some helpfull resources: How To: Create GenericPrincipal Objects with Forms Authentication How To: Protect Forms Authentication in ASP.NET 2.0 How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 How To: Use Forms Authentication with Active Directory How To: Use Forms Authentication with Active Directory in...
...on other hand "you can't always get what you want" :) In my case - I asked and I got what I wanted So if you care about your application's security shape - go ahead and download Guidance Explorer today. Thanks JD! Cheers
Just like Microsoft does Oracle first time in the history notifies its customers about upcoming critical security update it is about to release in January 16.
"Oracle Database Executive Summary
This Critical Patch Update contains a total of 27 new security fixes for Oracle Database products, 10 of which may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. 1 fix is applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed"
Good stuff!! (I mean the fact of systematic security updates...
When you scheduled for security review meeting be prepared for the above question. Security guys are concerned of Identity Theft/Spoofing Threat.
My suggestion is to go there prepared with the following question list thus saving lots of
How do your end users identify yourself?
User and Password pairs
How credentials sent over the wire (if any)?
Over protected wire (SSL, IPSEC, etc)?
How does your system authenticate your end users?
Custom mechanisms (not the best choice)
How does your application manage credentials that it uses to authenticate itself with downstream servers?