Introduction to the Caching Application Block

The Enterprise Library Caching Application Block lets developers incorporate a local cache in their applications. It supports both an in-memory cache and, optionally, a backing store that can either be the database store or isolated storage. The Caching Application Block can be used without modification; it provides all the functionality needed to retrieve, add, and remove cached data. Configurable expiration and scavenging policies are also part of the block.

If you have been working with caching outside the Enterprise Library, I believe you will find this application block extremely powerful and easy to use. If you have not taken on the subject of caching before, I believe you also will find this easy to pick up and ultimately boost the performance of your applications. The Enterprise Library Caching Application Block includes the following features:

• You can use the graphical Enterprise Library configuration tools to manage configuration settings.
• You can configure a persistent storage location, using either isolated storage or the Enterprise Library Data Access Application Block, whose state is synchronized with the in-memory cache.
• Administrators can manage the configuration using Group Policy tools.
• You can extend the block by creating custom expiration policies and storage locations.
• You are assured that the block performs in a thread-safe manner.

Cache Manager

The cache manager serves the role of managing the cache store exactly as it sounds. It is entirely possible to have multiple cache managers to suit you business requirements. When configuring the cache manager you also have choices when it comes to the backing stores. For example, if you wish to use a database to persist the cache you can do so, but for the purpose of this article I will demonstrate the out of the box configuration which is the server’s memory.

Once you have the defined your cache manager settings,  you will see similar code withing your web.config:

<configSections>
	<section name="cachingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Caching.
		Configuration.CacheManagerSettings, Microsoft.Practices.EnterpriseLibrary.Caching,
		Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
		requirePermission="true" />
</configSections>
<cachingConfiguration defaultCacheManager="RadDev Cache Manager">

Design and Implementation

Turning our attention to the web project, the first step is to add the appropriate references. Add a reference to the Caching Application Block assembly. In Microsoft Visual Studio, right-click your project node in Solution Explorer, and then click Add Reference. Click the Browse tab and find the location of the Microsoft.Practices.EnterpriseLibrary.Caching.dll assembly. Select the assembly, and then click OK to add the reference.

Now that the references are in place, we need the using statements.

//Enterprise Library
using Microsoft.Practices.EnterpriseLibrary.Caching;
using Microsoft.Practices.EnterpriseLibrary.Caching.Expirations;

Now the fun begins. We will query the database and after this first round trip we will cache the data. By caching the data the next call to the database essentially does not occur. Back in your webform add a GridView.

<asp:GridView ID="GridViewContactsNoCache" runat="server">
</asp:GridView>

Now that we have the GridView established it is time to wire up the necessary code to communicate with the database and then display this data to the end user.

First step here is to create your reference to the cache manager.

ICacheManager cache = EnterpriseLibraryContainer.Current.GetInstance<ICacheManager>();

Depending upon your application’s design you can add a object to cache in the scenario that works best for you. Here I am using a Generic List to create an object type of Contact. I will not go into the details of the List nor the Contact Class, but I will share the code so you can follow the thought process.

SQL Statement

private const string sqlOne = "SELECT FirstName," +
	" MiddleName, LastName FROM Person.Contact WHERE  (LastName =" +
	" N'adams') AND (FirstName LIKE N'r%') ORDER BY LastName";

Page Load Event

Inside the page load you will notice an if/else statement. Here is where we check if the Contacts object is in cache and if so, we bypass the database round trip and bind the GridView to this cache object.

protected void Page_Load(object sender, EventArgs e)
{
	if (cache.Contains("ContactsCachKey"))
	{
		GridViewContactsNoCache.DataSource = cache.GetData("ContactsCachKey");
	}
	else
	{
		GridViewContactsNoCache.DataSource = GetContacts();
	}
	GridViewContactsNoCache.DataBind();

	// How many object are in cache?
	LabelCacheObjects.Text = string.Format("The Cache Manager contains {0} objects.",
	cache.Count.ToString());
}

Get the Contacts

In this method you will see the use of the Generic List and immediately before exiting the method I am making another method call to populate the Contacts to cache.

private List<Contact> GetContacts()
{
	using (IDataReader rdr = db.ExecuteReader(CommandType.Text, sqlOne))
	{
		lstContact = new List<Contact>();

		while (rdr.Read())
		{
			contact = new Contact();
			contact.FirstName = rdr.GetString(0);
			contact.MiddleName = rdr.GetString(1);
			contact.LastName = rdr.GetString(2);
			lstContact.Add(contact);
		}
	}

	PopulateCacheManager(lstContact);

	return lstContact;
}

private void PopulateCacheManager(List<Contact> lstContact)
{
	cache.Add("ContactsCachKey", lstContact);
}

The Result

What If The Data Changes

Of course when one displays data, typically the counterpart is to also update the data. You will be pleased to know that in one line of code you can destroy the Contacts cached object and upon the next execution of displaying the data, the process starts all over. Assume for a moment that that Update button click has processed a database transaction.

protected void ButtonUpdate_Click(object sender, EventArgs e)
{
	cache.Remove("ContactsCachKey"); //here we remove the Contacts cache object
}

Conclusion

As you can see, using the Caching Application Block component of the Enterprise Library is not complex. Of course, this article has just begun to scratch the surface in the hopes that your interest is perked.

Examples Via MSDN

The following examples are from the Enterprise Library 5.0, Chapter 5 – A Cache Advance for Your Applications.

Proactive Cache Loading

The example, Load the cache proactively on application startup, provides a simple demonstration of proactive cache loading. In the startup code of your application you add code to load the cache with the items your application will require. The example creates a list of Product items, and then iterates through the list calling the Add method of the cache manager for each one. You would, of course, fetch the items to cache from the location (such as a database) appropriate for your own application. It may be that the items are available as a list, or—for example—by iterating through the rows in a DataSet or a DataReader.

// Create a list of products - may come from a database or other repository
List<Product> products = new List<Product>();
products.Add(new Product(42, "Exciting Thing",
                         "Something that will change your view of life."));
products.Add(new Product(79, "Useful Thing",
                         "Something that is useful for everything."));
products.Add(new Product(412, "Fun Thing",
                         "Something that will keep the grandchildren quiet."));

// Iterate the list loading each one into the cache
for (int i = 0; i < products.Count; i++)
{
  theCache.Add(DemoCacheKeys[i], products[i]);
}

Reactive Cache Loading

Reactive cache loading simply means that you check if an item is in the cache when you actually need it, and—if not—fetch it and then cache it for future use. You may decide at this point to fetch several items if the one you want is not in the cache. For example, you may decide to load the complete product list the first time that a price lookup determines that the products are not in the cache.

The example, Load the cache reactively on demand, demonstrates the general pattern for reactive cache loading. After displaying the contents of the cache (to show that it is, in fact, empty) the code attempts to retrieve a cached instance of the Product class. Notice that this is a two-step process in that you must check that the returned value is not null. As we explained in the section “What’s In My Cache?” earlier in this chapter, the Contains method may return true if the item has recently expired or been removed.

If the item is in the cache, the code displays the values of its properties. If it is not in the cache, the code executes a routine to load the cache with all of the products. This routine is the same as you saw in the previous example of loading the cache proactively.

Console.WriteLine("Getting an item from the cache...");
Product theItem = (Product)defaultCache.GetData(DemoCacheKeys[1]);

// You could test for the item in the cache using CacheManager.Contains(key)
// method, but you still must check if the retrieved item is null even
// if the Contains method indicates that the item is in the cache:
if (null != theItem)
{
  Console.WriteLine("Cached item values are: ID = {0}, Name = '{1}', "
                    + "Description = {2}", theItem.ID, theItem.Name,
                    theItem.Description);
}
else
{
  Console.WriteLine("The item could not be obtained from the cache.");

  // Item not found, so reactively load the cache
  LoadCacheWithProductList(defaultCache);
  Console.WriteLine("Loaded the cache with the list of products.");
  ShowCacheContents(defaultCache);
}

The goals of Enterprise Library are the following:

• Consistency. All Enterprise Library application blocks feature consistent design patterns and implementation approaches.
• Extensibility. All application blocks include defined extensibility points that allow developers to customize the behavior of the application blocks by adding their own code.
• Ease of use. Enterprise Library offers numerous usability improvements, including a graphical configuration tool, a simpler installation procedure, and clearer and more complete documentation and samples.
• Integration. Enterprise Library application blocks are designed to work well together or individually.

Now that the groundwork has been laid let us get started.

Introduction to the Data Access Library

The Data Access Application Block includes a small number of methods that simplify the most common techniques for accessing a database. Each method encapsulates the logic required to retrieve the data and manage the connection to the database. The methods exposed by the block allow you to execute queries, return data in a range of different formats, populate a DataSet, update the database from a DataSet, perform data access asynchronously (against SQL Server databases), and return data as objects in a suitable format for use with client-side query technologies such as LINQ.

As with anything good there is always its counterpart. For example, if you are going to work with data in a a mechanism that is unique to your application or if your are going to work with a particular database that provides unique features then you may not want to use the Data Access Library. It is also important to understand the level of support. For example, if you are targeting an Oracle database you should not use this library since Microsoft has depreciated the Oracle Client. In this case you should turn to Oracle’s ODP.NET which is native to an Oracle Database.

The Database Connection

The beauty of the Data Access Library is the simplicity of its use. For example, to establish a connection to a database, SQL Server in this case all it takes is a single line of code. First things first is to add the appropriate references to the Enterprise Library Assemblies.

//Enterprise Library
using Microsoft.Practices.EnterpriseLibrary.Common.Configuration;
using Microsoft.Practices.EnterpriseLibrary.Data;

Then comes the database object creation.

Database db = EnterpriseLibraryContainer.Current.GetInstance<Database>(“MyDatabase”);

The string value MyDatabase represents the connection to a SQL Server. Yes, it actually is that simple. In fact the instance of database could in fact be defined in a single class so your development team would never have to waste any time in defining a database object again. It is also worth saying that this database object is not yet in an open state. This is good news because so many developers often forget to close out their database connections. Another important benefit is the Data Access Library also will log events to the application event log, but this is a subject that I will go into in a future article.

Inline SQL Statement Example

I want to first say that you should exercise extreme caution when using inline SQL because this type of database interaction is vulnerable to SQL Injection. For the purpose of this example, I will utilize inline SQL.

In this example we will employ two SQL statements. One will retrieve the contact details to include first, middle, and last names. The second statement will return the total number of contacts.

private const string sqlOne = "SELECT FirstName," +
" MiddleName, LastName FROM Person.Contact WHERE  (LastName = N'adams') AND" +
" (FirstName LIKE N'r%') ORDER BY LastName";

private const string sqlTwo = "SELECT COUNT(*) AS TotalContacts FROM Person.Contact WHERE (LastName = N'adams') AND" +
" (FirstName LIKE N'r%')";

Build the WebForm

Now turning our attention to the web form we will need to server controls. First is a Gridview and second is a Label.

<asp:GridView ID="ContactsGridView" runat="server"></asp:GridView>
<asp:Label ID="TotalContactsLabel" runat="server" Text=""></asp:Label>

At this point if you have been working with ADO.NET you will find the code behind the webform very familiar. The only thing we are doing different in this example is working with the database object that was covered earlier in this article.

/// <summary>
/// Gets the contacts.
/// </summary>
/// <returns>DataSet of contacts</returns>
private DataSet GetContacts()
{
	DataSet dsContacts = db.ExecuteDataSet(CommandType.Text, sqlOne);
	return dsContacts;
}

/// <summary>
/// Gets the total contacts.
/// </summary>
/// <returns>Total number of contacts</returns>
private int GetTotalContacts()
{
	//because ExecuteScalar returns an object we must cast to an int
	int totalContacts = (int)db.ExecuteScalar(CommandType.Text, sqlTwo);
	return totalContacts;
}

Now that we have the necessary methods established the next step is to bind the data to the server controls back on the webform. We will do this in the page load event.

/// <summary>
/// Handles the Load event of the Page control.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
protected void Page_Load(object sender, EventArgs e)
{
	ContactsGridView.DataSource = GetContacts();
	ContactsGridView.DataBind();

	TotalContactsLabel.Text = string.Format("There are a total of {0} contacts", GetTotalContacts().ToString());
}

Now upon execution of the web application you will be presented the following:

Conclusion

As you can see, using the Data Access Library component of the Enterprise Library is not complex. Of course, this article has just begun to scratch the surface in the hopes that your interest is perked.

Examples Via MSDN

The following examples are from the Enterprise Library 5.0, Chapter 2 – Much ADO about Data Access.

Reading Rows Using a Query with No Parameters

Simple queries consisting of an inline SQL statement or a stored procedure, which take no parameters, can be executed using the ExecuteReader method overload that accepts a CommandType value and a SQL statement or stored procedure name as a string.

// Call the ExecuteReader method by specifying just the stored procedure name.
using (IDataReader reader = namedDB.ExecuteReader("MyStoredProcName"))
{
  // Use the values in the rows as required.
}

Reading Rows Using an Array of Parameter Values

While you may use simple no-parameter stored procedures and SQL statements in some scenarios, it’s far more common to use queries that accept input parameters that select rows or specify how the query will execute within the database server. If you use only input parameters, you can wrap the values up as an Object array and pass them to the stored procedure or SQL statement. Note that this means you must add them to the array in the same order as they are expected by the query, because you are not using names for these parameters—you are only supplying the actual values. The following code shows how you can execute a stored procedure that takes a single string parameter.

// Call the ExecuteReader method with the stored procedure
// name and an Object array containing the parameter values.
using (IDataReader reader = defaultDB.ExecuteReader("ListOrdersByState",
                                      new object[] { "Colorado" }))
{
  // Use the values in the rows as required - here we are just displaying them.
  DisplayRowValues(reader);
}

Retrieving XML Data

The Data Access block provides the ExecuteXmlReader method for querying data as XML. It takes a SQL statement that contains the FOR XML statement and executes it against the database, returning the result as an XmlReader. You can iterate through the resulting XML elements or work with them in any of the ways supported by the XML classes in the .NET Framework. However, as SQLXML is limited to SQL Server (the implementations of this type of query differ in other database systems), it is only available when you specifically use the SqlDatabase class (rather than the Database class).

The following code shows how you can obtain a SqlDatabase instance, specify a suitable SQLXML query, and execute it using the ExecuteXmlReader method.

// Resolve a SqlDatabase object from the container using the default database.
SqlDatabase sqlServerDB
    = EnterpriseLibraryContainer.Current.GetInstance<Database>() as SqlDatabase;

// Specify a SQL query that returns XML data.
string xmlQuery = "SELECT * FROM OrderList WHERE State = @state FOR XML AUTO";

// Create a suitable command type and add the required parameter
// NB: ExecuteXmlReader is only available for SQL Server databases
using (DbCommand xmlCmd = sqlServerDB.GetSqlStringCommand(xmlQuery))
{
  xmlCmd.Parameters.Add(new SqlParameter("state", "Colorado"));
  using (XmlReader reader = sqlServerDB.ExecuteXmlReader(xmlCmd))
  {
    // Iterate through the elements in the XmlReader
    while (!reader.EOF)
    {
      if (reader.IsStartElement())
      {
        Console.WriteLine(reader.ReadOuterXml());
      }
    }
  }
}

Retrieving Single Scalar Values

A common requirement when working with a database is to extract a single scalar value based on a query that selects either a single row or a single value. This is typically the case when using lookup tables or checking for the presence of a specific entity in the database. The Data Access block provides the ExecuteScalar method to handle this requirement. It executes the query you specify, and then returns the value of the first column of the first row of the result set as an Object type. This means that it provides much better performance than the ExecuteReader method, because there is no need to create a DataReader and stream the results to the client as a row set. To maximize this efficiency, you should aim to use a query that returns a single value or a single row.

The ExecuteScalar method has a set of overloads similar to the ExecuteReader method we used earlier in this chapter. You can specify a CommandType (the default is StoredProcedure) and either a SQL statement or a stored procedure name. You can also pass in an array of Object instances that represent the parameters for the query. Alternatively, you can pass to the method a Command object that contains any parameters you require.

The following code demonstrates passing a Command object to the method to execute both an inline SQL statement and a stored procedure. It obtains a suitable Command instance from the current Database instance using the GetSqlStringCommand and GetStoredProcCommand methods. You can add parameters to the command before calling the ExecuteScalar method if required. However, to demonstrate the way the method works, the code here simply extracts the complete row set. The result is a single Object that you must cast to the appropriate type before displaying or consuming it in your code.

// Create a suitable command type for a SQL statement.
// NB: For efficiency, aim to return only a single value or a single row.
using (DbCommand sqlCmd
       = defaultDB.GetSqlStringCommand("SELECT [Name] FROM States"))
{
    // Call the ExecuteScalar method of the command.
    Console.WriteLine("Result using a SQL statement: {0}",
                       defaultDB.ExecuteScalar(sqlCmd).ToString());
}

// Create a suitable command type for a stored procedure.
// NB: For efficiency, aim to return only a single value or a single row.
using (DbCommand sprocCmd = defaultDB.GetStoredProcCommand("GetStatesList"))
{
    // Call the ExecuteScalar method of the command.
    Console.WriteLine("Result using a stored procedure: {0}",
                       defaultDB.ExecuteScalar(sprocCmd).ToString());
}

Updating Data

The following code from the example application for this chapter shows how you can use the ExecuteNonQuery method to update a row in a table in the database. It updates the Description column of a single row in the Products table, checks that the update succeeded, and then updates it again to return it to the original value (so that you can run the example again). The first step is to create the command and add the required parameters, as you’ve seen in earlier examples, and then call the ExecuteNonQuery method with the command as the single parameter. Next, the code changes the value of the command parameter named description to the original value in the database, and then executes the compensating update.

string oldDescription
    = "Carries 4 bikes securely; steel construction, fits 2\" receiver hitch.";
string newDescription = "Bikes tend to fall off after a few miles.";

// Create command to execute the stored procedure and add the parameters.
DbCommand cmd = defaultDB.GetStoredProcCommand("UpdateProductsTable");
defaultDB.AddInParameter(cmd, "productID", DbType.Int32, 84);
defaultDB.AddInParameter(cmd, "description", DbType.String, newDescription);

// Execute the query and check if one row was updated.
if (defaultDB.ExecuteNonQuery(cmd) == 1)
{
  // Update succeeded.
}
else
{
    Console.WriteLine("ERROR: Could not update just one row.");
}

// Change the value of the second parameter
defaultDB.SetParameterValue(cmd, "description", oldDescription);

// Execute query and check if one row was updated
if (defaultDB.ExecuteNonQuery(cmd) == 1)
{
  // Update succeeded.
}
else
{
    Console.WriteLine("ERROR: Could not update just one row.");
}

Be sure to check out Chapter 2 – Much ADO about Data Access for much more details and examples.

Today’s threats are increasing with each passing day and I would go so far to say that many individuals do not understand nor take the time to properly address security. In fact the Software Engineering Institute at Carnegie Mellon states:

1. Many users have a tendency to click on links without considering the risks of their actions.
2. Web page addresses can be disguised or take you to an unexpected site.
3. Many web browsers are configured to provide increased functionality at the cost of decreased security.
4. New security vulnerabilities may have been discovered since the software was configured and packaged by the manufacturer.
5. Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
6. Third-party software may not have a mechanism for receiving security updates.
7. Many web sites require that users enable certain features or install more software, putting the computer at additional risk.
8. Many users do not know how to configure their web browsers securely.
9. Many users are unwilling to enable or disable functionality as required to secure their web browser.

Each of these points demonstrate the need for a mechanism that the average person can utilize to reduce the risk across the internet. Going back to the example of online banking, what would you say if you could simply boot off a DVD into a Linux Operating system and protect you credentials? This is entirely possible with Lightweight Portable Security (LPS) which was developed by the United States Air Force.

LPS differs from traditional operating systems in that it isn’t continually patched. LPS is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session.

LPS is updated on a regular basis (at least quarterly patch and maintenance releases). Update to the latest versions to have the latest protection.

For those that are not familiar with Linux there is nothing to fear. Go grab yourself a download of Lightweight Portable Security (LPS) and see for yourself just how easy LPS is and protect yourself at the same time.

Books and Whitepapers

Discover how to protect yourself from Firesheep and other Sidejacking attacks! The release of the Firesheep Wi-Fi attack tool has increased awareness among both users and attackers of the inherent insecurity of unprotected HTTP connections. Firesheep allows an attacker connected to the local network to monitor the web sessions of other users on that network. As experts proclaimed in reaction to Firesheep, the best solution to the problem is to use TLS/SSL for all connections to web sites, including the home page. Download ” Protecting Users From Firesheep and other Sidejacking Attacks with SSL” to learn how to avoid these attacks.

The Web Security Challenge: A Competitive Guide to Selecting Secure Web Gateways. In the search for reliable, comprehensive Web security, there is a clear leader. Third-party testing confirms that only Websense Web Security Gateway meets or exceeds industry analyst criteria across nine functional areas including malware protection, data loss prevention, and Web 2.0 threat detection accuracy when tested against competitive products.

Now to say that there are many security tools available in BackTrack would be an understatement. In fact there is so many available that I would never start to list theme here. If you wish to see for yourself, simply execute the following within your terminal instance:

[code]
dpkg –list
[/code]

To be honest I have just recently begun experimenting with BackTrack and I have a great deal of learning ahead of me. For that reason I felt compelled to share the following video tutorials, books, and how-to guides that I could locate. Should you have any tips or resources please leave a comment.

Video Tutorials

Guides

• BackTrack User Guide from Braton Groupe sarl.

Books

On January 1, 2012, I will giving away this theme. Wardrobe provides exceptional control for all aspects of your e-Commerce website. Whether you’re already running an online fashion store that needs updating, or planning to build a new WordPress-powered online store, the Wardrobe theme will be incredibly valuable to you. The pre-made template makes the job of putting up an online store easy without much complication.

Wardrobe has a simplified design with clean graphics and good use of color that shift the visitors’ focus to the products. Uncluttered design that makes great use of white space making it easier for the user to understand how to navigate and use the site.

Limited offer: Have 23 ColorLabs #WordPress themes for only $49! colorlabs.co/rtRuTA

— ColorLabs & Company (@ColorLabs) January 6, 2012

Features

• Automatic thumbnail resizer: Theme is powered with a script that automatically generates thumbnails from your post images. This will save you time and make your web site easy to re-design.
• Theme administration panel:Manage important theme elements from a dedicated panel and be free from the hassle of editing codes. Here you can integrate your web site with AdSense, Analytics and Feedburner in a few clicks.
• WordPress threaded comments:Optimize user discussion on your web site with WordPress threaded comments. Say ‘goodbye’ to hard-to-follow comment posts and ‘hello’ to neatly organized comment threads.
• Cross-browser compatibility: Coded and designed according to web standards. This ensures complete accessibility and compatibility in modern internet browsers, such as Firefox, Safari, Chrome and many others.

Contest Rules

Entering the contest is simple. All that is required is to follow @raddevelopment and leave a comment on this blog post that ranges between 100 – 200 words as to why you’re deserving of the free copy.

At the time of the drawing, January 2, 2012, Radical Development will select one random winners so be sure to follow the rules to win!

Summary of Rules and Regulations

To enter to win a single copy of the Colorlabs Wardrobe WordPress Theme, $69.00 retail value of prize, no purchase is necessary. Contest closes at midnight of January 2, 2012. If you’re selected as a winner, you must provide a valid email address.

Complete Rules and Regulations

1. This contest is open to residents of the United States of America, except employees of Radical Development who is sponsoring the Promotion and their affiliates.
2. The chance of being selected will depend on the total number of eligible entries received. If the selected entrant cannot be contacted by the email address provided in the comment within 10 days of being selected, he/she will not be eligible to win the prize and an alternate entrant will be randomly selected.
3. The prize is not transferable or convertible into cash or otherwise and must be accepted as awarded.
4. The right is reserved to terminate or withdraw this contest at any time without prior notice.
5. This contest is subject to all and Federal, State and Municipal laws and regulations. Void where prohibited.
6. Radical Development and its affiliates accept no liability or responsibility in connection with injuries, loss or damage of any kind arising out of this contest or prize. Entries not meeting the guidelines or irregular in any way will be considered void.
7. There is no technical support from Radical Development nor Colorlabs and Company.
8. Good luck.

Pencil Project for Firefox

The popular and fairly powerful Pencil Project is a free and opensource Firefox addon tool for making diagrams and GUI prototyping with a multitude of features. With its built-in stencils for diagramming and prototyping, the option for multi-page documents with background pages, its on-screen text editing with rich-text support and with its new cababiltity of exporting to HTML, PNG or Openoffice formats, makes this addon essential for any developer or designer.

Mockingbird

Mockingbird is an online tool that makes it very easy for you to create, link together, preview, and share mockups of your website or application. With its clean and clear interface, drag and drop functions, snap-to-grid, unlimited page linking and pretty much all the UI elements you could ever need, it all adss up to making Mockingbird our favorite wireframe app on this page.

Cacoo

Cacoo is a user friendly online drawing tool that allows you to create a variety of diagrams such as site maps, wire frames, UML and network charts. It allows for multiple users to edit the same diagram in a simultaneous collaboration with all the tools and features you would expect from an online wireframe app. Diagrams created with Cacoo can be shared and allows you to paste the code into Web applications such as Wikis and Blogs, and when the original diagram is edited the pasted graphic will be automatically updated, removing the need to upload the diagram each time it is updated.

Balsamiq Mockups

Using Balsamiq Mockups feels like you are drawing, but it’s digital, so you can tweak and rearrange controls easily, and the end result is much cleaner. With 75 pre-built controls to choose from, you can design anything from a super-simple dialog box to a full-fledged application, from a simple website to a Rich Internet Application.

FlairBuilder

FlairBuilder comes with over 60 different wireframe components. They help you quickly build wireframe designs out of commonly used website elements. It doesn’t matter whether you build simple, text based websites, or rich internet applications. FlairBuilder has all you need to get started and up to speed. FlairBuilder also has mobile applications elements, so you can design the entire experience for your customers. Currently iPhone is supported mostly, but more platforms are easy to build using existing components.

ProtoShare

ProtoShare is an online, collaborative, website wireframing/website prototyping tool that reduces interactive project rework while increasing profits. Combined with aggressive product pricing, ProtoShare has become the value leader and the fastest growing tool in the industry. Real-time feedback allows your team to share early and share often—a process that brings great ideas to life. ProtoShare’s easy online collaboration gives key stakeholders project visibility. When you get buy-in early, last-minute surprises, delays, and costly late stage rework are significantly reduced.

Foundation of Security

1. Authentication: Addresses the question: who are you? It is the process of uniquely identifying the clients of your applications and services.
2. Authorization: Addresses the question: what can you do? It is the process that governs the resources and operations that the authenticated client is permitted to access.
3. Auditing:Effective auditing and logging is the key to non-repudiation. Non-repudiation guarantees that a user cannot deny performing an operation or initiating a transaction.
4. Confidentiality: Referred to as privacy, is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic across a network.
5. Integrity: The guarantee that data is protected from accidental or deliberate (malicious) modification. Like privacy, integrity is a key concern.
6. Availability: From a security perspective, availability means that systems remain available for legitimate users.

Two main approaches exist for input validation which are called whitelisting and blacklisting.

Whitelist

A term used to describe a list or register of entities that, for one reason or another, are being provided a particular privilege, service, mobility, access or recognition. As a verb, to whitelist can mean to authorize access or grant membership. Conversely, blacklist is a term used to describe a list or compilation that identifies entities that are denied, unrecognised, or ostracised.

Blacklist

A list or register of entities who, for one reason or another, are being denied a particular privilege, service, mobility, access or recognition. As a verb, to blacklist can mean to deny someone work in a particular field, or to ostracize a person from a certain social circle. Conversely, a whitelist is a list or compilation identifying entities that are accepted, recognized, or privileged.

Both blacklisting and whitelisting are valuable tools when it comes to data validation. Typically the best approach is to adopt whitelisting and define what type of data is acceptable where blacklisting is defining data types that are unacceptable. Think about it, if you’re collecting an email address does it not make sense to address the acceptable data entry rather than what is unacceptable?

A simple regular expression used for whitelisting an email address:

^[w-]+(.[w-]+)*@([a-z0-9-]+(.[a-z0-9-]+)*?.[a-z]{2,6}|(d{1,3}.){3}d{1,3})(:d{4})?$

Matches a valid email address including ip’s which are rarely used. Allows for a-z0-9_.- in the username, but not ending in a full stop i.e user.@domain.com is invalid and a-z0-9- as the optional sub domain(s) with domain name and a 2-7 char (a-z) tld allowing for short tld’s like ca and new ones like museum.

The blacklisting approach is often avoided where possible because it only protects against threats the developer could think of at the time of its creation. This means the blacklist might miss new attack vectors and have higher maintenance costs when compared to a whitelist.

Input Validation best practices:

• Apply whitelists (known good values) where possible.
• Check for content (i.e. 0-9), minimum and maximum lengths and correct syntax of all inputs.

Obviously, there is a great deal of different kinds of data types that must be validated. But where does this data get into your program? The answer is from a surprising number of places; in fact, your application may be collecting data from a would be attacker in ways you weren’t prepared for or maybe have not even considered.

Related Books

The reason I am asking this question is because Scott Hanselman recently wrote about a service he noticed running on his system named “netsession_win.exe” and he was not entirely positive where it came from.

I understand why a vendor would use third party products within their own software but the problem in my mind is the end consumer must be able to clearly understand what is occurring on their computer for a number of reasons. First, security has to always be taken into consideration and secondly maybe the consumer simply does not want services similiar to “netsession_win.exe” installed and executing at any level. Could this service in question be all bad? To answer that we must first understand what it is.

Upon closer investagion, it becomes apparent that “netsession_win.exe” is a product from Akamai which is known for content delivery networks. Here is how Akamai expains this service:

The Akamai NetSession Interface is distributed networking software which greatly enhances the quality and speed of downloads and video streams you get from websites that support Akamai technology. The Akamai NetSession Interface handles the caching, reflecting and sending of files delivered to you through the Akamai network. The software is safe and secure, and does not contain any adware or spyware and never will. It can also be easily removed if you no longer wish to use it.

At this point, we the consumers are placing a great deal of trust into the hands of Akamai and the larger question is should this be the case. In my opinion the answer is no! Think about this for a moment, the Akamai NetSession Interface works as follows:

1. downloading from multiple sources of a file simultaneously
2. capable of connecting to other end user machines to help speed delivery
3. continually looking for (and connecting to) faster/nearer sources of a file
4.  intelligently routing your download around network congestion and traffic spikes

Does the above sound even remotely familiar? This technology sounds a lot like a BitTorrent. The most alarming aspect of the Akamai NetSession Interface is it is integrated with other applications that you may install and because of this you have no way to disable or uninstall the Akamai NetSession Interface without uninstalling the original software which introduced it in the first place.

In closing, I am not okay with this type of technology being installed and executing on my own computer without my express permission. What say you?

Related Books

References

1. CSI: My Computer – What is netsession_win.exe from Akamai and how did it get on my system?
2. Akamai NetSession Interface FAQ

Security Threats

The single toughest challenge is trust.  Most organizations outsource cloud storage needs to vendors like Amazon and by doing so, it is imperative to understand the roles and responsibilities of this type of relationship.  In fact, organizations begun building upon this trust many turned to third party identity and access management (IAM) services to further strengthen security (Rai, & Chukwuma, 2009).  IAM is essential to control who has access and what system interfaces are established.  With traditional managed servers, the cloud is no different when it comes to threats such as viruses, hackers, and cyber-attacks (Bisong, & Rahman, 2011).  The risk can vary and present new concerns that an organization must consider.  Outside the obvious data leaks, insider threats, and application interfaces comes the unknown of regional distribution.  History has demonstrated down time can cascade to affect a number of organizations, just look at the recent Amazon outage (Bisong, & Rahman, 2011).

Responsibility

The topmost level of security starts with the Chief Information Security Officer (CISO) however it does not end there.  This role serves to establish continuity, disaster recovery, policies, and strategies (Dawson, Burrell, Rahim, & Brewster, 2010).  All employees at every level are to be held accountable but this requires that management and leaders must be responsible.  In order to achieve security the responsibility stakeholders must start with defining policy and procedures that drive daily activities and responses in term of protecting data and infrastructure.  The process does not stop once policies and defined, there must be continuing reviews and defined education.

Cloud Provider Questions

As cloud computing is being considered there are a number of topics to consider.  To understand the pros and cons as well as the vulnerabilities a number of questions are to be asked, for example:

• Compliance and Auditing
• Portability
• Encryption and Key Management

At the end of the day, the organization purchasing a cloud computing option is and always will be responsible for data (Everett, 2009).

Security Provisions

The business requirements of any organization will drive the components that make up secure computing (see Figure 1).  Taking the service needs in account will assist in performing a risk assessment and how the risk are to be mitigated and controlled.  This conclusion then is incorporated into Service Level Agreements (SLA) whereby expectations are clearly defined (Blandford, 2011).  At this stage, the decision is made what operations are candidates for cloud computing and what are not.  Remember there will always be instances where propriety information must be protect and there may even be conditions where you’re performing work for the Department of Defense (DOD) for example where no level of assurance can be achieved.

References

1. Rai, S., & Chukwuma, P. (2009). Security in a Cloud. Internal Auditor, 66(4), 21-23. Retrieved from http://www.theiia.org
2. Bisong, A., & Rahman, S. M. (2011). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & Its Applications, 3(1), 30-45. doi:10.5121/ijnsa.2011.3103
3. Dawson, M., Burrell, D., Rahim, E., & Brewster, S. (2010). Examining the role of the Chief Information Security Officer (CISO) & security plan. Journal of Information Systems Technology & Planning, 3(6), 1-5. Retrieved from http://www.intellectbase.org
4. Everett, C. (2009). Cloud computing – A question of trust, Computer Fraud & Security, 2009(6), 5-7. doi:10.1016/S1361-3723(09)70071-5
5. Blandford, R. (2011). Information security in the cloud. Network Security, 2011(4), 15-17. doi:10.1016/S1353-4858(11)70040-X

Tooling

The Nessus vulnerability scanner is the world-leader in active scanners with more than five million downloads to date. Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. Commercial organizations that use the Tenable Nessus network vulnerability scanner must purchase a ProfessionalFeed subscription to scan their network, obtain support, updates to their database of vulnerability checks and compliance auditing. Each ProfessionalFeed subscription costs $1,200 per year, per Nessus scanner and may be purchased from Tenable’s ProfessionalFeed Partners or directly from Tenable’s online store.

Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what’s going on inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

Fortify 360 is a suite of tightly integrated solutions for identifying, prioritizing, and fixing security vulnerabilities in software. It automates key processes of developing and deploying secure applications. It helps you resolve software vulnerabilities using the only solution that fully integrates vulnerability analysis across the entire software life cycle—from development to QA testing and even to already deployed applications. Fortify 360 and related Fortify SSA solutions provide you with everything you need to ensure your software is inherently safe and empowers your organization to cost-effectively implement Software Security Assurance (SSA) methods.