.NET application testing and security

Windows 7’s UAC has a security flaw

A couple blog entries ago, I mentioned that among Windows 7’s improvements is a fix to the user account control (UAC) functionality introduced in Vista. UAC was always a good — and overdue — idea, but Vista’s implementation was annoyingly chatty. Windows 7 would fix that, I wrote.

A security hole in Windows 7’s UAC has been found that uses a script to disable future UAC warnings, according to blogger Long Zheng. I haven’t tested it yet (our work machines still run XP), but Zheng’s blog entry includes proof-of-concept code. According to the blog, the issue had previously been marked as a bug on Microsoft Connect, but Microsoft closed the issue as “by design.

The easy fix is to set your UAC warning level to always ask for confirmation, even if it’s just to set system settings. That means malicious code won’t be able to disable UAC behind your back, but it also  means UAC will be back to its annoying Vista persona.

Let this be a reminder to us all: convenience and security are often at odds.  The problem is that too many warnings are also a problem, as users are apt to just click “yes” without reading your warning message. Striking the right balance between giving users power, giving them options, giving them convenience and giving them security is always difficult.

Application threats seen to radio programmable pacemakers

How much foresight must engineers have? At what point do threats become absurdly remote? The questions arise, as I look at an item that recently crossed my desk. It provides a view into a future in which application security will endlessly enter uncharted regions. It has to do with hacking pacemakers via radio.

“Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” describes a study that University of Washington and University of Massachusetts researchers undertook to measure the security and privacy properties of implantable defibrillators that support radio-based reprogramming. Read more on SearchSoftwareQuality.com.

Read Application threats seen to radio programmable pacemakers.

Good manners: Unit test syntax and semantics

Microsoft MVP Roy Osherove is at work on a book about the art of unit testing. It is interesting to read his site as his thinking evolves and his book moves to completion.

For an example, see a recent post concerning unit testing semantics and syntax. Osherove says he sees a trend that accompanies greater use of Domain Specific Languages (DSLs), in which developers create more readable syntaxes for tests and specifications.

Osherove asks for input and notes that consistent naming conventions for unit tests are still something people are striving to achieve. Learning and relearning test-related languages seems to come with the territory. What do you think?

XUnit unit test framework ready for its close-up

James Newkirk - an original NUnit developer - and Brad Wilson recently shared some more of their work on the XUnit test framework. The download is available on the CodePlex site.

According to Ben Hall, blogger and Red Gate Software test engineer, the framework itself

is…built using .NET Framework 2.0, doesn’t require any installation (XCopy) which makes it great for storing in source control and includes a TestDriven.NET runner, ReSharper runner and a console runner for executing the tests.

Hall digs into the XUnit innards and says it has some really interesting concepts. He looks forward to V.1 and thereafter. One wonders, can XUnit ever win a place in developers’ hearts akin to NUnit?

Brushing up on .NET architecture

One primary aim in relaunching SearchWindevelopment.com is to focus greater attention on .NET architecture. Web services, workflow, object-relational mapping and other concepts continue to change the way applications are assembled, and, just as you don’t want to find yourself in the dark, neither do we.

Fortunately, SearchWindevelopment.com has a great sister site, TheServerSide.NET, that focuses on issues of importance to the .NET architect. And, as TheServerSide.NET undergoes its own transition to a community-driven discussion board, SearchWindevelopment.com benefits from an infusion of articles, tutorials and book excerpts that focus on the aforementioned architectural topics.

Here is a sampling of some of that content.

Assembly versioning in the .NET Framework 2.0 — Assembly-resolution mechanisms for the .NET Framework 2.0 provide a view into the CLR, focusing on versioning and safe execution of assemblies sitting side-by-side.

Ten ways to unit test your .NET code – Verifiable code is less likely to cause problems during development and after delivery; however, it can often be difficult to write an adequate unit test, due to the way your production code is architected. In this column, Justin Gehtland looks at ten ways to structure your code to make it easier to verify with NUnit, or any other xUnit framework.

Shifts in .NET Object-Relational Mapping: Seismic and subtle – For some developers, ADO.NET is good enough to deal with their data needs. For some other developers, Object-Relational Mapping software is needed to successfully field their enterprise systems.

Scrum, Agile development methodologies mix with VSTS projects – Agile and Scrum development methodology practitioners are no longer considered renegades. At the same time, Microsoft’s Visual Studio Team System is beginning to support Scrum practices.

Book excerpt: Using the Microsoft Enterprise Library – This chapter from Effective Use of Microsoft Enterprise Library explains how to build apps using application blocks.

We hope that you find this content both useful and relevant. We also hope that you get used to it, as you will see many more articles, tutorials and book excerpts in the coming weeks.