To Be A Developer Or Not To Be

When a thread is scheduled for execution it can go through several states, including unstarted, alive, sleeping, etc. The Thread class contains methods that allow you to start, stop, resume, abort, suspend, and join (wait for) a thread. We can find the current state of the thread using its ThreadState property, which will be one of the values specified in the ThreadState enumeration:

• Aborted – The thread is in the stopped state, but did not necessarily complete execution

• AbortRequested – The Abort() method has been called but the thread has not yet received the System.Threading.ThreadAbortexception that will try to terminate it – the thread is not stopped but soon will be.

• Background – The thread is being executed in the background

• Running – The thread has started and is not blocked

• Stopped – The thread has completed all its instructions, and stopped

• StopRequested – The thread is being requested to stop

• Suspended – The thread has been suspended

• SuspendRequested – The thread is being requested to suspend

• Unstarted – The Start() method has not yet been called on the thread

• WaitSleepJoin – The thread has been blocked by a call to Wait(), Sleep(), or Join()

Top 10 Secure Coding Practices

Added by Robert Seacord on Jun 21, 2007

1. Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments, network interfaces, environmental variables, and user controlled files [Seacord 05].
2. Heed compiler warnings. Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code [C MSC00-A, C++ MSC00-A].
3. Architect and design for security policies. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set.
4. Keep it simple. Keep the design as simple and small as possible [Saltzer 74, Saltzer 75]. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.
5. Default deny. Base access decisions on permission rather than exclusion. This means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted [Saltzer 74, Saltzer 75].
6. Adhere to the principle of least privilege. Every process should execute with the the least set of privileges necessary to complete the job. Any elevated permission should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges [Saltzer 74, Saltzer 75].
7. Sanitize data sent to other systems. Sanitize all data passed to complex subsystems [C STR02-A] such as command shells, relational databases, and commercial off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of SQL, command, or other injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem.
8. Practice defense in depth. Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment [Seacord 05].
9. Use effective quality assurance techniques. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Penetration testing, fuzz testing, and source code audits should all be incorporated as part of an effective quality assurance program. Independent security reviews can lead to more secure systems. External reviewers bring an independent perspective; for example, in identifying and correcting invalid assumptions [Seacord 05].
10. Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform.

Bonus Secure Coding Practices

1. Define security requirements. Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting system cannot be effectively evaluated.
2. Model threats. Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in designs, code, and test cases [Swiderski 04].

Bonus Photograph

I found the following photograph on the Web, and I’m still trying to figure out who owns the rights to it. If you know, please comment below.

I like this photograph because it illustrates how the easiest way to break system security is often to circumvent it rather than defeat it (as is the case with most software vulnerabilities related to insecure coding practices).

References

[Saltzer 74] Saltzer, J. H. “Protection and the Control of Information Sharing in Multics.” Communications of the ACM 17, 7 (July 1974): 388-402.

[Saltzer 75] Saltzer, J. H. & Schroeder, M. D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975), 1278-1308.

[Seacord 05] Seacord, R. Secure Coding in C and C++. Upper Saddle River, NJ: Addison-Wesley, 2006 (ISBN 0321335724).

[Swiderski 04] Swiderski, F. & Snyder, W. Threat Modeling. Redmond, WA: Microsoft Press, 2004.

by Rick Strahl

What’s covered:

• Introduction to Subversion
• Installation
• Adding Projects and Files to Source Control
• Creating a local Copy from the Repository
• Up and Running with Subversion and Tortoise SVN
• Subversion and Visual Studio

This document describes the steps to install and configure Subversion, create a new repository and then walks through the basic steps required to set up local Visual Studio projects using Tortoise SVN.

This isn’t meant to be an all comprehensive tutorial on Subversion, but rather a quick step by step of the essential things to install and configure to get up and running. For more detail you can use the excellent Subversion and Tortoise SVN documentation.

See full article from here 

Reflector for .NET

Reflector is the class browser, explorer, analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic and IL.

Reflector.zip – .NET Reflector, Version 5.0.50.0, Add-Ins

Resourcer for .NET

Resourcer is an editor for .resources binaries and .resX XML file formats used with the .NET platform. Resourcer allows editing of name/string pairs, import of bitmaps/icons and and merging of resources from different sources.

Resourcer.zip – .NET Resourcer files

CommandBar for .NET

The CommandBar class library extends Windows Forms with classes for CommandBar, ReBar, CoolBar, and bitmaped menu controls. 24 bit alpha channel images are supported on Windows 2000.

CommandBar.zip – Library and C# source code

Writer for .NET

Writer is a simple WYSIWYG editor for HTML files. The program allows you to edit HTML files using simple editing functionality like Undo, Redo, Cut, Copy, Paste, Find, Replace. Writer also supports text layout and formatting, hyperlink editing and insertion of dates and pictures.

Writer.zip – Executable and C# source code

Mapack for .NET

Mapack is a .NET class library for basic linear algebra computations. It supports Norm1, Norm2, Frobenius Norm, Determinant, Infinity Norm, Rank, Condition, Trace, Cholesky, LU, QR, single value decomposition, least squares solver and eigenproblems.

Mapack.zip – Library and C# source code

This list will be updatable if your comments will contain other useful programs not included.

---

Source Control Programs:

The goal of the Subversion project is to build a version control system that is a compelling replacement for CVS in the open source community. The software is released under an Apache/BSD-style open source license.

And you can download last version from here

And see this for a comparison between different source control programs

And you can download subversion book from here

==============================

The coolest Interface to (Sub)Version Control

And you can download it from here

---

Issue/Bug Tracking Programs:

Trac is an enhanced wiki and issue tracking system for software development projects. Trac uses a minimalistic approach to web-based software project management. Our mission; to help developers write great software while staying out of the way. Trac should impose as little as possible on a team’s established development process and policies.

And you can download it from here

==============================

Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Mantis has been installed on Windows, Mac OS, OS/2, and a variety of Unix operating systems. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).

And you can download it from here

---

Unit Test Programs:

You can know more about unit testing from here

NUnit is a unit-testing framework for all .Net languages. Initially ported from JUnit, the current production release, version 2.2, is the fourth major release of this xUnit based unit testing tool for Microsoft .NET. It is written entirely in C# and has been completely redesigned to take advantage of many .NET language features, for example custom attributes and other reflection related capabilities. NUnit brings xUnit to all .NET languages.

And you can download it from here

==============================

NCover provides statistics about your code, telling you how many times each line of code was executed during a particular run of the application. The most common use of code coverage analysis is to provide a measurement of how thoroughly your unit tests exercise your code. After running your unit tests under NCover, you can easily pinpoint sections of code that are poorly covered and write unit tests for those portions. Code coverage measurement is a vital part of a healthy build environment.

And you can download it from here

---

Project/Task Management Programs:

 

dotProject is a volunteer supported Project Management application. There is no “company” behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.

 

And you can download it from here

 

---

Code Analysis Programs:

FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:

• Library design
• Localization
• Naming conventions
• Performance
• Security

FxCop includes both GUI and command line versions of the tool.

 

And you can download it from here

---

A consistent naming pattern is one of the most important elements of predictability and discoverability in a managed class library. Widespread use and understanding of these naming guidelines should eliminate many of the most common user questions. This topic provides naming guidelines for the .NET Framework types. For each type, you should also take note of some general rules with respect to capitalization styles, case sensitivity and word choice.

Capitalization Styles

Describes the Pascal case, camel case, and uppercase capitalization styles to use to name identifiers in class libraries.

Case Sensitivity

Describes the case sensitivity guidelines to follow when naming identifiers in class libraries.

Abbreviations

Describes the guidelines for using abbreviations in type names.

Word Choice

Lists the keywords to avoid using in type names.

Avoiding Type Name Confusion

Describes how to avoid using language-specific terminology in order to avoid type name confusion.

Namespace Naming Guidelines

Describes the guidelines to follow when naming namespaces.

Class Naming Guidelines

Describes the guidelines to follow when naming classes.

Interface Naming Guidelines

Describes the guidelines to follow when naming interfaces.

Attribute Naming Guidelines

Describes the correct way to name an attribute using the Attribute suffix.

Enumeration Type Naming Guidelines

Describes the guidelines to follow when naming enumerations.

Static Field Naming Guidelines

Describes the guidelines to follow when naming static fields.

Parameter Naming Guidelines

Describes the guidelines to follow when naming parameters.

Method Naming Guidelines

Describes the guidelines to follow when naming methods.

Property Naming Guidelines

Describes the guidelines to follow when naming properties.

Event Naming Guidelines

Describes the guidelines to follow when naming events.

This series of articles is very useful to understand the concept of N-Tier Application Development. It was written by Karim Hyatt on Belgum MSDN.

Part 1 : What is N-Tier Architecture?
Part 2 : How to implement the Business Layer?
Part 3 : How to implement the Data Layer?

Also in future, I will try to publish new articles from books or web about this issue.

The development life cycle of a project involves three phases:

◆ Project initiation
◆ Project execution
◆ Project deployment

In the project initiation phase, a comprehensive list of tasks to be performed is prepared, and responsibilities, depending upon individual skills, are assigned to team members. I will be discussing the tasks that need to be performed when I proceed with the coding of the application.

In the project execution phase, the development team develops the application.This
phase consists of the following stages:

◆ Analyzing requirements

Analyzing requirements is the process of determining and documenting customer’s needs and constraints. Subsequently, based on these requirements, you create a plan for developing the application. The process of analyzing requirements often starts with a problem statement given by a customer or the customer’s representative. Analysts organize all the information gathered from the customer and analyze the customer’s needs.Finally, they prepare a written description of the customer’s problem and define a possible solution.

◆ Creating high-level design

The second stage in the project execution phase is to develop a high-level design. In the high-level design phase, the external characteristics of the system, such as interfaces, are designed. In addition, in this phase, the operating environment and various subsystems and their input and output are decided. In this stage, features that require user input or approval from the client are documented, and client approval is obtained for the same. These documents include the functional specifications document of the application, which is presented in a simple language to the client. The functional specifications include the description of the databases, forms, and reports that will be included in the application.

◆ Creating low-level design

In the low-level design phase, a detailed design of the software modules, based on the high-level design, is produced. In addition, the team lays down specifications for various software modules of an application. Modules defined in the high-level design phase are used to create a detailed structure of a system. The system contains subsystems, which are partitioned into one or more design units or modules. In the low-level design phase, the flow of the different modules in the project and the interactions between various interfaces are defined.

◆ Construction

In the construction phase, different software modules are built.This phase uses the output of the low-level design to produce software components. During the construction phase, task responsibilities are assigned to team members. Some team members may need to design and develop an interface, while the others may be required to write the code for database connectivity and business rules.

◆ Integration and testing

The integration of different modules and testing are conducted during the integration and testing phase. The quality assurance (QA) team validates whether the functional requirements, defined in the requirements document, are met. The development team also submits a test case report to the QA team so that the application that the development team has created can be tested in various possible scenarios.

◆ User acceptance testing

In the user acceptance phase, based on the predefined acceptance criteria, the client conducts acceptance testing of the project. In this phase, the acceptance criteria include the fulfillment of all the requirements identified during the requirements analysis phase.

The final stage in the project life cycle is the project deployment phase. In this stage,
the application is deployed at the client location, and support is provided to the
client for a specified period. In addition, any bugs identified in the application are
debugged. This phase consists of the following two stages:

◆ Implementation

The system is installed and made operational in a production environment. The implementation phase is initiated after the system has been tested and accepted by the client. This phase continues until the system operates in a production environment.

◆ Operation and maintenance

In the operations and maintenance phase, software is monitored for performance in accordance with user requirements. In addition, the modifications that are required are incorporated in the software. Operations continue as long as a system can effectively adapt to an organization’s needs. However, when modifications or changes are identified, the system may re-enter the planning phase.

Note: This article is a summary from “Microsoft C# Professional Projects” Book [ISBN: 1-931841-30-6]