97 Things Every Software Architect Should Know

It seems that software architects love to write articles. I found this link and must say that some of the articles there gave me some good ideas and nice observations. One of the short but very good articles is about "Continuously Integrate"

protobuf for .net - protocol buffering allows communication between all languages

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats
http://code.google.com/p/protobuf-net/
this is related to the larger project:
http://code.google.com/p/protobuf/

How to change data on the metabase of IIS 6

First you'll need to enable the metabase editing. You can do it like this
Then you'll need to install the metabase editor

Once you can change metabase data you can do stuff like enabling gzip compression, removing/changing the IIS banner.

How to find security vulnerabilities in your web site

It is often said that one should build it site as secure as possible. It is also said that one should prepare a good software design before he starts writing code... Since we all know that there are glitches in every aspect of most applications in some level we should find tools to help us find the problems we created. This is a small list of free tools that will allow you to review your website from the eyes of an attacker:

HTTPrint - this tool gives a close estimation about the web server running the site. This can give you a good idea about how hard/easy it is to find out with great probability what web server are you using. If the results indicate that your web server is obvious you should start disguising some of the marks your web server leaves. For starters get read of the "powered by: " in the http headers...

Metasploit - Once you gained the data on the platform you want to analyze (such as webserver type, os, service packs....) you can find which exploits can be used to attack the platform.

Wikto - this tool searches for well known directories and files (which is known as dictionary attack). It will try to find all of the .old or .bak you left behind, all of your "install" folder you never deleted. This tool is most important for those who use open source products and for those that are managing both deployment/operations and development (typical for small sites/companies).

Paros - a semi-automatic site scraper that works as a proxy which allows you to scan your site to find out how easy it is to find pages you are trying to hide. You can use its manual option to find out so called sophisticated links that are created dynamically using JavaScript.

Fiddler - also used for performance analysis. a simple proxy for the client. enables catching requests and responses and tampering them. You can also use Tamper Data firefox add-on to do most of the things fidller lets you. Other tools that can help you analyze the web pages themselves are firebug or web developer helper if you want to use it with MS-CMS or MOSS 2007.

If you are helping another person to find out the vulnerabilities in his site you can also use a port scanner to find out his "secure" BackOffice ports and so on. A good one to start with is NMAP

If worse comes to worse and you are trying to secure a huge enterprise project with much money to spend and sloppy programmers consider using an application firewall.

Tools for debugging/analyzing web sites

I've found out a couple of weeks ago a nice Firefox add-on, "tamper data", that allows tampering with out coming http requests (POST, GET). The add-on captures even captures requests coming out of Flash which I honestly did not expect.

This little tool can help debugging web pages on development/production and help testing web sites for security issues.

https://addons.mozilla.org/en-US/firefox/addon/966

I can also recommend great tool called HttpWatch which helps analyze the way your web pages load. This is usually the tool for finding out performance related issues. This is much like the freeware "fiddler" only much faster and intuitive imho.


http://www.httpwatch.com
http://www.fiddlertool.com/fiddler/

Extension methods for .net 3.5 developers

Found a great site with many useful extension methods for some of the main objects used in every .net application (such as string, object, DateTime...).

take a look:

http://www.extensionmethod.net

Web site performance - don't forget the gzip

if your web server is not in a CPU intensive situation and your bandwidth is high (even for some assets like image/javascript files) you should consider using the HTTP compression - GZIP.

read how to get it done on Microsoft techNet

Web site performance - don't forget the cache-control /content expiration (and a partial explanation about what is browsing from the HTTP perspective)

cache-control is a directive inside the http header instructing the web-browser and/or proxy server how to handle the data transffered. The main use of this directive is for cache handling.

usually when you surf to a web page for the first time the process is as follows at the 7th OSI level:
- the browser sends an http/s request for a specific URI. for example this is the request sent to google when requesting the advanced-search page:

GET /advanced_search?hl=iw HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-icq, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.google.com
Connection: Keep-Alive
Cookie: PREF=ID=XXXXXXXXXXXXXXXXXX

- the web server gets the request and responds. if everything went well the HTTP header would contain the following response code "HTTP/1.1 200 OK" which is followed by the HTML content of the requested page.

- Once the client finished getting the content the browser will parse the data and extract all of the assets (javascript, flash, images etc.) it needs to get from the server in order to assemble and render the page. Since in the scenario this is the first time the user surfs to this page it has none of the assets stored on his harddrive in the browsers "temporary internet files". the browser opens connections to the server in some level of parallelism (IE opens 2 tcp connection while firefox acts not very politely and opens 6 tcp connections) and requests the assets. this is how it looks like when the browser requests google logo image:
GET /intl/en_com/images/logo_plain.png HTTP/1.1

- The server sends back the image and within the http header of the response it has the expires directive:
Expires Sun, 17 Jan 2038 19:14:07 GMT

- If the user's browser is using the default configuration it will store the google logo png file and will hold the expiration date. if the user will surf to google search page again before the expiration date the browser will not request the image from the web server. It will be taken from the harddrive (or memory - depends on the browser and the settings).

- If the user will surf again the the search page after the date of the expiration the browser will detect that it has the google logo in his cache but its time validity expired. the browser will add to the request the "If-None-Match" or an "If-Modified-Since" header field with the ID of the asset:
If-None-Match "8e9bc4e4e50c71:76f"

- The server will examine the request and will decide if the image on the server has the same ID (meaning not changed) or a new ID. if the asset has already changed the server will send the new asset with the "HTTP/1.1 200 OK" code. if the asset is still the same the server will respond with:

HTTP/1.1 304 Not Modified Date Sat, 09 Feb 2008 11:29:39 GMTEtag "8e9bc4e4e50c71:76f"

this tells the browser that the asset is still valid.


now as you can see the performance hit cause by forgetting the use of cache-control could be severe and lead to many severe problems such as unnecessary round-trips, slowness of the site, throughput problems and overall - a crappy user experience.

So how can you set this cache control?

It can be done within your HTML code by adding meta tags such as meta http-equiv="Expires" or you can do it within your web server. On the IIS console just right click on the asset (for specific asset policy) or on a folder containing the assets and select: properties->HTTP-Headers->enable content expiration and choose the correct policy.
In apache web server you can do it in the httpd.conf file - you can read a much more detailed explanation about apache configuration here

Just remember - use it wisely. If you over cache your site your site visitors would suffer from strange behaviors and not up-to-date data/look-and-feel. You need to organize your assets hierarchy in the web server in a way that it will not be hard for you to set a different policy for each asset type.

www.highscalability.com - very good site about HPC/scalability/architecture

I consider this site a must for everyone who's interested in the realm of HPC/scalability/architecture.

You can find there some detailed posts, debates and links about topics such as youtube/flickr/amazon architecture, thoughts outside the relational database model, introduction to relevant products and much more.

http://www.highscalability.com/

XSS in Imperva :) I found it

funny stuff:
http://www.securityfocus.com/bid/28279

c# Performance snippet - looping through a multidimensional array

Within the CLR there is an optimization for loops that has a termination checkpoint against the length property of the collection/array. However this is not implemented for multidimensional arrays.
In order to achieve better performance when the need arises to use multidimensional arrays its better to use Jagged arrays (Jagged array or arrays)

Example of a jagged array:

int[][] arrJagged = new int[][]{new int[]{1,2,3,4,5},new int[]{2,3,4,5,6}};

c# Performance snippet - checking if a string is null

Best practice for checking if the string is null is by (string.length == 0). It is more than 2 times faster than comparing to string.empty

c# Performance snippet - Using static string.equals

When comparing two strings it is recommended to it using the string.equals static function. The reason is that this function performs some short circuit checks before actually going to compare each character. For example if you are writing some generic code that will possibly get null as one of the strings the function will use this to perform more quickly. Also if you send the same two strings a reference matching will be found saving you the binary character comparison.

c# Performance snippet - Sending value types to function as REF

Something new I've found out is that if you have a function that you call many times and it has value parameters its worth considering sending these parameters as Ref. By doing so you'll send only the memory address and not generate a new value type.