Microsoft Anti-Cross Site Scripting Library - asp.net

I'm evaluating the Microsoft Anti-Cross Site Scripting Library (AntiXSS V3)
I have to say it seems to me that apart from providing a more comprehensive white list of acceptable characters, it's not really bringing anything to the party that a diligent programmer who encoded all his user/agent modifiable output wouldn't be doing anyway.
Am I missing a trick?

I don't think you're missing anything except for the fact that the number of programmers who are aware of proper secure coding is very small, and those that can do it properly are fewer still.
The libraries are written to make things easier for your average developer, and I would assume that any library that is written by Microsoft with the express purpose of enhancing security would be done by a coder (or team of coders) that are experts in the field, as opposed to your normal everyday developer who focuses on the needs of their company.
(I would think they would put a lot of importance on doing this right, considering how Microsoft products are always painted as being painted as "insecure" by MS-haters)
As a parallel, think about encryption. A diligent coder could come up with a secure encryption algorithm. However, OWASP guidelines tell you NOT to come up with your own algorithm, but to use tested algorithms developed by experts and well-tested.
If we have a tool by experts that does the job for it, why would we try to do this on our own? I'd say it would be good to use the Microsoft Anti-Cross Site Scripting Library for this reason alone, if it works as advertised.

Related

Can meteor.js web framework support a social networking architecture effectively?

So I'm new to node.js, javascript frameworks, and meteor.com. I'm trying to learn how to build social networks, and I'm naive/struggling to understand why Meteor.js (meteor.com) wouldn't be able to do all the great things you see now that twitter, facebook, instagram are doing?
There's the comet technology between client/server, authentication configs, asynchronous coding for scaling and performance, and built on top of node.js.
I'm trying to learn more about long polling, comet, gridFS or how files are stored, and in general things like replication sets, and sharding to help with performance (esp since Redhat has this openshift platform that we can build our own private clouds with).
I have some computer science background, but it seems like magic, so what am I missing? If you all could think of a few buzz words that make a social network tick that Meteor.js doesn't support, what would it be?
I hear things about parallel and concurrency (webworkers fixes that in part, no?), websockets, that high level languages like python or java are better off supporting. There's only one to learn my answers, and thats by doing, but thought someone could sway me one way or the other via this thread. Thanks!
This question encompasses a really broad idea and just focusing on using meteor alone would solve this issue. Here are a few points to consider:
I don't think this framework would be a good starting point to learn long-polling, gridFS, etc etc. Meteor aims to be a framework that tends to be more of an ecosystem of packages e.g. you can certainly roll your own aformentioned strategies -- however for dynamic updates, Meteor uses its own Data Delivery Protocol (DDP) supported/implemented by (surprise) a good bunch of core packages such as Spark.
Parallel processing and concurrency can be better off done using other languages, but why not with? Since Meteor is largely based on node.js, and node.js is really good with the aforementioned stuff plus it can play very well with other languages so you could integrate smoothly. Meteor doesn't really require you purely rely on it, as other languages would say the same thing. It's all in the general engineering / planning for your project. There are already lots of really good stuff out there that rely on Meteor, join in! don't be afraid. It all boils down to planning (and the courage/perseverance to pull it off, of course).
Right now, we cannot tell if Meteor would be incapable of the usual great stuff by gigantic websites. Sure, we can do live updates, (its own kind of) publish/subscribe patterns, and powerful stuff to boost development (look at the seven core concepts of meteor to best understand this). It is not impossible to replicate what is already out there, really. We can only say it with uncertainty at the moment mainly because.. (see next point)
The framework is so young! it's still at 0.6.x at the time of writing. Please take time to look at the Meteor Roadmap to see how things are going in terms of broader support for persistence/databases, performance considerations, and the official DDP specification.
I hope I have answered your enquiry (and more, I hope). I'm really excited for meteor myself as it could easily be the next big thing. We have a couple of (for-)production projects using Meteor as well, so you're getting direct insight from a person who has done quite a bit of hacking (and tons of research and first-hand experience) in Meteor. Not that i'm saying i'm an expert or so, it's just so much fun to work with Meteor and i'm totally not kidding you.
Hope this helps!
P.S.: Fair warning though, resources and documentation is really sparse at this point. I try to contribute to the community as much as I can about it (one of my starting points is here, on SO).

Fitnesse vs any other subsystem testing tool [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
We are currently using Fitness for subsystem testing.
we are having lot of issues using the tool, few to mention
Development time for writing Fixture is more then writing the actual code
Issues around check in of the dlls so that Qa can test them
Issues in running Fitnesse for project which uses NHibernate
limited help online
We are planning to use some other tool to do the testing
Few options which we know are
SOAP UI
Story teller
I am not sure whether we will have similar problems with these tools
It would be great to know if someone has experience using these tool and could guide us
In our project we have adopted TDD so we have Nuits for unit testing.
It would be great if anyone is aware of tools/ideas which could extend nunits for subsystem testing as well.
Component testing tools are all about calling functions. Your tests cause functions to be called in "fixtures" that then call into the SUT. Any tool based on this premise will encounter the problems you reference above.
However, most of those problem are manageable. For example you should not be writing lots of fixtures. If you are, something is wrong. Secondly, your fixtures ought to be little more than wiring code to call the APIs in your application. If your fixtures are doing significant work, then something is wrong.
In most FitNesse environments the number of fixtures is rather small. For example, there are over two hundred acceptance tests for fitnesse itself, but the number of fixtures in on the order of a dozen, and they are all relatively simple.
Get help on the fitnesse#yahoogroups.com site. The folks there are usually very responsive to questions.
If you can communicate with your software using text, then I have had success on past projects rolling my own framework using expect.
The framework I cooked up stored tests as XML files, using a simple xUnit style markup. The xml files were then transformed into executable tests using a stylesheet. I ended up transforming the tests into Tcl/Expect, but you could transform them into anything. In fact, if you wanted, you could transform them into multiple languages, depending on your needs.
Several people have kindly reminded me (in the same way you remind you poor dottering grandfather about the drool on his chin) that we are in the 21st century when they inquire why I would choose Tcl over some more modern language. As it turns out, for the purposes of this kind of testing, I haven't yet found a better choice. The Tcl language still kicks butt in this area. Trust me, I didn't wake up one day and say to myself "self, what I need a test framework implemented in a scripting language everyone will hate!"
Believe it or not, I really was looking for a tool, any tool, that had the following characteristics:
Cross platform. This was non-negotiable. We do a lot of cross platform development and we already use WAY too many tools that don't support cross platform development.
Simple syntax. Say what you want about Tcl, but the syntax is very regular. I knew that some native code would probably creep even into the XML files (and originally it was Tcl only, no XML) and I wanted the syntax to be comprehensible to a non-programmer. This simplicity is a core strength of Tcl. As it turns out, it also made transforming the XML easier too.
Free. My favorite price ;-)
Writing tests as simple xml files allowed non-programmers to write customer acceptance level tests - no programming required.
Easily extended.
I did not set out to home grow this to the extent I have. Initially, I looked at established test frameworks like DejaGnu and android. Mostly they had way too many features. They were so feature laden that I didn't think they would be easy for a project to start using without a lot of up front training. Looking at DejaGnu, got me interested in Tcl in general, and after a brief look at tcltest, I almost gave up. Both DejaGnu and tcltest assume you are an advanced Tcl scripter, which I didn't think anyone at my company ever would be. In addition, I wanted the test framework (if possible) to support an xUnit type of test framework and neither of these tools did.
Eventually I found TclTkUnit, a Tcl based testing framework that is designed along xUnit lines. It was only a short leap of logic to realize I could run TclTkUnit in Expect instead of tclsh and get everything I needed.
As it ended up getting used more, I added another stylesheet to render the xml files nicely in a web browser. The test framework generated it's own documentation.
On another project we needs a very basic sim / stim environment to emulate a person throwing switches and pushing buttons on a piece of hardware we didn't have. It only took a few hours to hack the test framework to function as a simulator. Creating the framework took some work, but we felt that it did pay benefits in the long run. I really believe that these types of unforseen consequences of creating your own tools is why people in the agile community & XP in particular have always been such strong advocates.
We have adopted a Fitnesse-based but practically-code-free approach using GenericFixture (google for Anubhava to find his wordpress site) for Fitnesse.
What this allows us to do is to create "executable test narratives" using a language that is friendly to the business-side (as opposed to the technical-side). This language, which is very easily defined, practically without coding, in Generic Fixture, is called a DSL (domain specific language). So we can write our test narratives using e.g. medical terms or even in a language other than English. Basically what we get is transforming our Use Cases into executable narratives.
We are starting to use it in a large project (15 ppl for 2 years) and it seems (so far) to have a good future.
It easily allows Test Driven Development or test-creation after development (traditional approach).
It is wiki-based (Fitnesse) and its versioning and refactoring funcitonality has proven so far sufficient.
I can give more info if anyone is interested.
best regards,
Aristotelis.
We use unit-testing frameworks like NUnit to drive our subsystem tests as well - the tests don't care how they are run. It doesn't have fitnesse's document-based approach, though.

Encryption API for C#2 recommendations?

We need a paid for supported Encryption / Decryption API for a project - AES >256?
I dont want the developers coding their own encryption / decryption even using the built in stuff. To many chances to go wrong.
Links to sites much valued.
UPDATE
Due to the fact as many have said - Its hard to understand if you are not familar with encryption, and get a small thing wrong and its busted...
I have seen answers and will be getting our own encryption/decryption from the builtin - but all the team will need to peer review.
For information BlowFish.Net is good, and performs faster than the builtin crypto routines, which when you start to look at encrypting/decrpyting data into a database can have some massive perf issues ...
http://www.codinghorror.com/blog/archives/001268.html
"even using the built in stuff"
The reason that it's built in is so that people have tested, reliable algorithms available to use that implement standards, not black box third party APIs that might not. What are the "chances to go wrong"?
Maybe you need to switch to Java, you can always opt to use third party JSSE providers there if you're paranoid about the built-in provider.
Bouncy Castle is a well respected and well developed .NET encryption library that is usually recommend for these sorts of questions. But what's wrong with using the System.Security.Cryptography Namespace? - it is extremely secure, very fast and doesn't require any external libraries. Here's an example of how to implement it.
Oh, and "using the built in stuff" will mean it is less likely to go wrong. Your developers won't be coding their own classes, just using the interfaces available which are easy to use and have been very rigorously tested.. Also, the "built in stuff" will be well supported by Microsoft, so if you want to upgrade to C# 4.0 (or C# 5.0 in the future?) you probably won't need to change your code at all.
If you were to use a 3rd party library you would most likely still run into the same issues, which basically boil down to not understanding the pitfalls of encryption.
Without a decent understanding you'll most probably make mistakes with key management, or using bad initialisation vectors or keys. These are issues you'll need to understand to tackle regardless of whether you use the inbuilt libraries (which are fine), or a 3rd party library.
If its something you feel worried about enough, the best recommendation is probably to bring in someone, or better yet - train up people to understand encryption.
Use the builtin 'stuff'. But make sure you use it in the correct mode.

Are there any .NET content management systems that focus on usability and leave out the bloat?

I work in a shop that is mostly .NET based, and we're trying to pick out a content management system to use. This means we mostly likely won't be able to use any of the common open source CMS projects (Plone, phpNuke, anthing not based on .NET, etc.).
Since I'm a huge usability nerd (just finished reading The Design of Everyday Things by Norman), I've been looking at them from that point of view. Frankly, I haven't been too impressed. This quote sums it up:
Most open source content management software is useless. The only thing worse is every commercial CMS I’ve used. - Jeffrey Veen
Here's a short list of our requirements:
Has to be .NET based
Prefer open source or on the inexpensive side
Limited feature set (we don't need too many features and they make things harder to use)
Does need Active Directory integration and robust permissions
Should be focused on web standards and usability
I know it's probably an impossible feature list, but are there any content management systems that kinda sorta look like they might not suck more than a Dyson?
Edit:
Here's the current situation:
I'm going to push for N2. I've got Active Directory integration working well (I even wrote a custom role provider). The only thing missing is workflow functionality. Hopefully I can get something going with that since it's the last sticking point. The N2Contrib project might provide a starting point if I can figure it out.
I would still love to check out Stencil CMS if/when it gets off the ground.
One of my co-workers was trying to get Umbraco going but wasn't having much luck.
Thanks for the help!
Self-plug is lame, but what you're describing is pretty much exactly what I am getting ready to release for $79 a pop. If you're still looking in a few weeks, take a peek. If you'd like, shoot me an email (rex#stencilcms.com).
I've heard both positive and negative feedback about Umbraco. A lot of people like Graffiti, but it's more blog-oriented than a full-blown CMS.
Check out N2 (http://n2cms.com/). I think that it covers most, if not all, of your requirements (I don't think it has Active Directory capability at this time). We are using N2 and I have really enjoyed how flexible it has been.
My company just completed a review of several commercial .NET-based CMS/portal platforms and, while I can't reveal who was in them (thanks, NDAs!), I can tell you that IMO they all sucked very, very badly.
Good luck on your search. I'll keep an eye on this thread in the hopes that there's something we missed.
We had a similar set of requirements and chose Telerik Sitefinity. It's got it's faults but overall I've been happy with it so far.
Unfortunately Jeffery speaks the truth. Which is probably why I build a new custom cms from the ground up every few years. Basically, the motivation for "boxed" CMS packages is to have every feature on earth and be everything to everyone and therefore do nothing particularly well for anyone. With the feature bloat comes the usability nightmares. Unless you start customizing and then you usually end up forking the project and losing the advantage of community updates.
Kentico CMS according your list:
Has to be .NET based
It's .net based, .NET Framework 2.0 or later
Prefer open source or on the inexpensive side
Free edition which can be used for commercial purposes is available, paid license starts at $750, source code is an option
Limited feature set (we don't need too many features and they make things harder to use)
Many built-in modules/features, anyway they can be easily disabled to keep the UI simple to use
Does need Active Directory integration and robust permissions
AD, Forms and Live Id! Integration
Should be focused on web standards and usability
UTF-8 Support including RTL languages, WAI Compliant, XHTML Compliant, XML, XHTML, HTML, XSLT, CSS.
Instant on-line demo or download available at:
http://www.kentico.com/Download.aspx

Best performance comparison website or resource for .Net Web Applications?

I am the .Net specialist in a consultancy with many difference flavors of developers using many different languages and frameworks. Because everyone is pretty much trying to push their own agendas with our different clients in terms of what technology to propose, I'm constantly finding myself in the classic arguments with them all about "why" .Net may be a better technology solution for a given clients requirements.
Often time here, the debate comes down to the issue of performance. Usually the areas that are argued about here consist of costs, maintainability, and performance. I have a hard time arguing about cost because in general open-source technologies are usually cheaper, and although and can usual put a good word in for .Net in terms of total cost of ownership (It seems to be pretty easy to convince people that .Net applications have relative low costs for maintainability if the application architecture has been thoughtfully designed), we will really only push .Net here if the client understands and is indifferent about the costs associated with Microsoft licensing. In terms of maintainability, like I mentioned before, the other developers here realize how much a difference it can make when an application is thoughtfully designed. I have had around 8 years of experience programming .Net solutions and I'm pretty confident in my ability to present to a client all the features and tool sets that .Net provides to give an application a long, and easy to maintain life span.
So again, what it usually boils down to is an argument over performance. Up until now, I have worked for companies that already used Microsoft development technologies to developer their applications so while I have discussed performance with others in the past I have never been a position where I have had to convince performance. My other co-workers are always boasting about these different website that they go to that show improved performance for open-source web applications. This all being said, what I would like to know from everybody here is where do you usually go to get your information about how may some .Net web applications have out performed other technologies?
Thanks in advance for the advice,
-Matt
I appreciate the detail, though I must say I forgot your question at the end. =)
Anyhow, this is something that has certainly been on my mind in the past. There is always a conflict on what technology is the best. We all know on each side you will find zealots, so it's quite difficult weeding out the facts. Professionally, I've seen successes/disasters on both sides of the fence.
For you, since you have a vested interest in .NET. I would showcase success stories, such as ... (insert whatever big name site you want) Facebook, SO, etc. I'd also find stories where things went wrong on the .NET side and pinpoint the reason. Like you said, it is often poor implementation. I don't know how many DailyWTF stories I've seen with ASP.NET sites behaving poorly but it gets traced back to 1) Poor design 2) Implementation 3) Coding.
Once you have a solid show case to justify the technology you can then of course talk about your own past experiences. You need to qualify yourself as being able to avoid the same pitfalls that your stories exposed.
.NET loses in performance against C/C++. In general, it will win over Python, Ruby, and PHP in baseline performance. The static typing tends translates into faster native code. (There are exceptions, such as Python's hand-tweaked set() performance being faster than HashSets in .NET)
The difference might come down to things like apache vs IIS (and their respective caching configurations), database architecture, etc. Features than can be misused or misunderstood (ViewStates and large GridViews, or using large numbers of hidden WebControls, for example)
Depending on what type of application you are building I've found that performance is rarely an issue. All the technologies out there can perform well enough.
When debating .net versus java/ruby/python etc I usually try to point out other benefits of .net.
There was this one time my boss asked me why .net instead of others? He wanted to know because he could get a PHP programmer for cheap. As part of the report we wrote a simple web application in 4 different languages and the .net app ran the fastest by far. After that we solidified behind .net. This was when .net was new so none of us really knew it well. We came from ASP, PHP, Coldfusion and Java backgrounds.
If you are looking for .Net performance stories you can listen to this dot net rocks show

Resources