Daily Archives: November 12, 2010

Microsoft moves ahead with ASP.Net MVC3

By Paul Krill

Microsoft made available this week a release candidate for its ASP.Net MVC (Model View Controller) 3 framework.

Downloadable at Microsoft Web site, the software enables development of Web applications via a Model View Controller pattern and represents the third version of the platform. An MVC framework is provided atop the .Net 4 runtime. Release candidates generally are the final stage before a general release of technology.

“ASP.Net MVC3  is a pretty sweet release and adds a ton of new functionality and refinements. It is also backward-compatible with ASP.Net MVC V1 and V2 — which makes it easy to upgrade existing apps,” said Scott Guthrie, corporate vice president of the Microsoft Developer Division, in a blog post.

Among the features in version 3 is Razor, a compact view engine for ASP.Net. Razor Intellisense support, for coding assistance, is now supported within Visual Studio and the free Visual Web Developer Express tool.

The NuGet package manager, previously called NuPack, is an open source package manager automatically installed in ASP.Net MVC 3, Guthrie said. “We think NuGet will enable all .Net developers (not just ASP.Net MVC ones) to be able to more easily leverage and share functionality across the community, and make building .Net applications even better.”

Partial page output caching in ASP.Net MVC 3 allows developers to output cache regions or fragments of a response, instead of the full response. Also, AJAX and validation helpers now use an unobtrusive JavaScript approach by default, said Guthrie. “Unobtrusive JavaScript avoids injecting inline JavaScript into HTML markup and instead enables cleaner separation of behavior using the new HTML 5 ‘data-’ convention  (which conveniently works on older browsers — including IE6 — as well). This makes your HTML smaller and cleaner, and makes it easier to optionally swap out or customize JS libraries.”

Also with version 3, the “New Project” dialog box has been improved. Scaffolding improvements include templates that do a better job of identifying ID/Primary Key properties on models and handles them appropriately.

IT industry news: Google Instant Previews highlights importance of site design

By Paul Davis

Google Instant’s latest update may encourage web designers to focus more on the layout of their website rather than just the content.

The update allows users to glimpse the site they are searching for in a pop-up window on the search results page before clicking through to it.

Those considering taking web design courses  may be particularly interested in the development as it could change the way in which sites are designed, according to some commentators.

Rebecca Lieb, vice president of digital marketing firm Econsultancy’s North American operation said that design will become increasingly important as websites will be compared visually by users at the point of search.

“Think supermarket shelf display. Clean, uncluttered design that pops even at a reduced size may matter – a lot,” she said.

Earlier this week search engine Ask.com announced that it would be withdrawing from the search market and focusing purely on its original question and answer service, citing the high cost of algorithmic search services as one of the reasons for its repositioning.

A Security ‘Patch’ For Web Development Frameworks

By Kelly Jackson Higgins

WASHINGTON, D.C. — OWASP AppSec DC 2010 — A panel of application security experts here yesterday concurred that secure Web development is broken and debated ways to fix the frameworks so developers can write more secure applications.

“What if some frameworks had security features built into them that wouldn’t make security an afterthought?” says Rafal Los, Web application security evangelist for the HP Software and Solutions business at HP. “What if we fixed the frameworks so it was harder to write insecure code, and that you had to [actually] purposely write code insecurely to make it insecure?”

Developers don’t purposely write their Web apps insecurely — they are just victims of the tools they must use, according to the panel, which was headed by Josh Abraham, security consultant with Rapid7. And with more developers using prebuilt development frameworks, such as JSF, Struts, Spring, and DWR, that weren’t designed with security in mind, it’s no wonder so many Web apps are riddled with security holes, according to the premise of the panel.

It’s not that there are no efforts to help developers write more secure code: Aside from developer training efforts, there’s OWASP’s Enterprise Security API (ESAPI), an open-source Web app security control library aimed at making secure code simpler to write.

But ESAPI hasn’t been as widely adopted thus far as its creators had hoped, and training doesn’t scale, according to the panel. Chris Eng, senior director of research at Veracode, says his firm rarely sees organizations using it. “ESAPI has been around a long time, but very rarely do we run into [companies] using it. Why? It has fairly good protections. If it’s baking these [protections] into the framework, why hasn’t it caught on?”

Eng said he’s in favor of improving the development frameworks. He posed the possibility of a framework being built to prevent developers from writing insecure code at all: “It is possible to fix things in the framework, but what if you could make it impossible for developers to write something insecure — without them ever having to know about security?” Eng said.

Rapid7′s Abraham agreed that the ideal would be for the frameworks to make it easier to build in security and harder to write insecure code.

But it’s not so simple to retrofit legacy code, the panelists said. “Back-porting is a losing battle,” Abraham said.

It makes more sense to build security from the ground up in new generations of frameworks, the panelists agreed.

As for more extreme approaches, such as holding developers legally accountable for writing insecure code, HP’s Los said litigation isn’t the answer.

Another option would be to somehow make developers accountable for their coding within the organization. “In my ideal world, developers would have to have secure code as one of their MBOs [Management By Objectives measurements],” Veracode’s Eng said.