.NET Oxford Meetup XIII: Azure Security and Infosec Fails


Last week we had our 13th .NET Oxford, with a Security double-bill from Robin Minto talking about lessons learnt from past infosec failures, and Frans Lytzen telling us about how to secure your webapps in Azure!

robin

Both speakers have spoken at .NET Oxford before - with Frans doing a deep dive into Async/Await in our second ever meetup, March last year, and also doing a lightning talk on GDPR for Developers July last year - and then Robin did a lightning talk on OWASP ZAP also July last year. Great to have them back last week - we must be doing something right!

Intro Talk

As usual, I kicked off with the intro talk, thanking the sponsors (see below), and also going through the news items and prize draws. Matt, the other organiser, would have been doing the intro this time, but unfortunately he had to miss it due to work commitments. Which means that I can relax a bit next week at our next meetup as it'll then be his turn! ;)

News Items

Microsoft has open-sourced WinFile!

Okay, so this one was a bit more of a light hearted news item, but I noticed in my news feed that Microsoft had opened source the Windows File Manager from Windows 3.1! This works on all version of Windows, including Windows 10. I'm not sure if this is insanely awesome, or if someone at Microsoft has way too much time on their hands! But, thought it worth adding as a news item for the comedy factor!

GitHub repository

HTTP/2 Support in Azure App Services

HTTP/2 is a new version of the HTTP protocol. It adds a bunch of changes to help improve the speed of the internet. One example is that a single connection can now handle multiple requests in parallel. It also adds header compression and binary support. Whilst the protocol itself doesn't require encryption - current browser support doesn't support unencrypted (ie. not https) traffic for HTTP/2. Which is a good thing!

Microsoft have announced that their Azure App Services now supports HTTP/2. This is current disabled by default, but will be enabled by default in the next few months. To enable this, at the moment you need to set it via a configuration settings (called http20Enabled). A Portal setting should be coming soon for this though.

Link to Announcement

Blazor 0.2.0 Release

Blazor is a newish technology allowing you to run .NET in your browser! It does this using WebAssembly. In the same way as when Node got Javascript developers excited because they could then write Javascript both clientside and serverside - this does the same thing for .NET developers, allowing us to write C# on both sides. The new release adds more functionality - including the ability to write your own reusable components.

In June, we have another lighting talk evening, and I believe that James World will be doing a talk on Blazor! I haven't had the chance to play with this myself yet - so I'm really looking forward to James' talk!

Link to announcement blog post

.NET Core 2.1 Preview 2

The 2.1 announcements seem to be getting a mention in a lot of our meetup news items recently, as they're releasing this stuff so quickly at the moment! Last month, it was about preview 1, and this month they've announced Preview 2!

ASP.NET and .NET Core Docker Images Merge

For those using Docker for their ASP.NET Core apps, it's worth knowing that from .NET Core 2.1-preview2 onwards, Microsoft are merging their Docker images. Currently there is a separate microsoft/aspnetcore and microsoft/aspnetcore-build ontop of the non-ASP.NET microsoft/dotnet images. Instead of these being separate, which was causing confusion and had less discoverability - they're now just using microsoft/dotnet and then using image tags to differentiate between both the ASP.NET and non-ASP.NET images and also the runtime verses the larger SDK versions.

Link to announcement on GitHub

Corriculo Recruitment

As usual, our amazing sponsors Corriculo Recruitment where on hand being awesome! They've been our sponsors from the very beginning, and I really cannot thank them enough! They've not only helped us out financially - covering the venue costs, and providing plenty of liquid refreshments at each of our events - but also, helping us out welcoming everyone in, with marketing and promotion, feedback and advice, and much more!

corriculo

Prize Draws

Our prizes are from our amazing prize draw sponsors - JetBrains, Manning Publications, and Oz-Code.

I mentioned this in the intro, but we're going to start introducing a 2-week time limit for the winners to claim their prize. I've been finding that more often than not recently, my Meetup.com emails to the winners asking for their details so I can apply their licences are getting ignored. This means I have to keep on chasing them up. If you win a prize, but don't want it - then please just reply and say so. It saves me time, and means we can do another offline draw and give it to someone else. This new 2-week time limit, means that I can do that even if the winner doesn't respond.

Jetbrains

Congratulations to Tim Cranston for winning a year-long Jetbrains product licence! He choose the Resharper + Rider combo! Good choice!

Manning Books

Congratulations to Scott W for winning a Manning ebook of his choice! He's not yet chosen, but he has the choice of any of the awesome Manning ebooks from their website!

Remember that we have our special Manning coupon code (ug367) which gives all of our members a 36% discount on any of their e-books! They've also asked me to share a link to some of their new courses for their LiveVideo system.

Oz-Code

Congratulations to Rasa Rinkeviciute for winning the Oz-Code licence!

If you haven't checked it out, definitely download the trial and have a play. All our member get a free 3 month trial licence (see below) or 50% off a full licence! To claim, you can visit this link to pick up your licence!

prizesponsors

Robin Minto: #FAIL - Lessons from Infosec Incidents

robin

First up was Robin Minto talking about lessons learnt from past Infosec Incidents.

One thing that Robin did near that start which I found quite interesting, was to get the audience involved by giving everyone a link to a poll on his website. He used DirectPoll to do this, which is specifically designed for this kind of speaker/audience environment. Robin could control it from his end, and which poll the audience currently see. Then the results were shown on screen. His polls asked things like what roles everyone had (developer, etc), and what languages the audience preferred. Really nice idea, although, perhaps a bit underutilised in Robin's talk - most likely due to time restrictions. It would have been really interesting see more stats on what the audience did and didn't know about various security aspects. A bit later, Robin asked who hadn't heard of OWASP, and a surprising number of hands went up - it would have been interesting to see the number in the poll app for this question. I guess there's less reason for a non-web developer to have even heard of OWASP though - so perhaps not that surprising.

The talk was at quite a high level, covering various different topics. From having strong passwords and using 2FactorAuth where possible; to using HTTPS; to not storing secrets in Git; to DDoS attacks. Throughout his talk, Robin also brought up plenty of past security breaches - from the Ashley Madison breach, to cryptocurrency mining malware infecting government websites.

When talking about DDoS attacks, he showed an interesting looking site, supposedly showing the current global DDoS attacks that are happening as we speak. He also then showed a parody version where you can create your own pretend IP attack map with special sound effects, which was quite amusing.

Another site Robin mentioned which most people have probably heard of by now, but it's definitely worth mentioning here, is Troy Hunt's Have I Been Pwned site. This stores records of a large number of past data breaches, and allows you to enter your email address and it'll let you know if it was found in any of the data breached it knows about. You can also register your email to be notified if it's found in any future data breaches.

Rather than me going through listing out everything that Robin covered, James World has saved me the trouble with his awesome Sketchnotes drawn in realtime during the talk! Very cool! ...

sketchnotes (sketchnotes drawn by James World)

Links:

Frans Lytzen: Securing Web Apps in Azure

frans

After the break, it was Frans' turn. I was especially interested in this one, as I have a number of webapps in Azure, and to be honest, it's the cloud, it's PAAS - so I tend to just throw them into Azure and trust Microsoft to make sure it's secure! So I was obviously very keen to hear what kind of things Frans talked about that I wasn't (but should have been) doing!

Luckily, I didn't have to skip the pub in order to make panicked changed to all of my webapps! But that doesn't mean that there wasn't a ton of useful information in Fran's talk! He covered a lot of different topics, from setting up SSL to secret management in Azure Key Vault.

For the SSL setup, he demoed how to setup a free LetsEncrypt certificate on your webapp. I did this about a year or so ago for my blog, following the instructions from a blog post that Troy Hunt wrote about how to do this. I can't remember if these were the exact same steps that Frans demoed - but it certainly felt familiar. I've since moved my blog's SSL to using CloudFlare instead, which is another option that Frans discussed in his talk.

Frans covered a lot of different topics in his talk, and rather than me trying to remember all the bits to include in this blog post - Frans has very kindly saved me the trouble by recording his talk! He used OBS Studio to record both his screen and from his mic, and has uploaded it to YouTube!

His blog post with video can be found on his blog, this also contains additional info about his talk. I've also embedded the video below (with Fran's permission) ...

And if that wasn't enough, and you want a tl;dr version - James World, also did a sketchnote for Fran's talk too! ...

sketchnotes (sketchnotes drawn by James World)

frans

Dev Tips

Unfortunately due to overrunning on the talks, we had to skip the dev tips this time. We'll try again in the next meetup, which is now just next week! For those that don't know - we've recently started doing a thing where at the end of the meetup, anyone can get up and give a 30 second dev tip. The idea being to get more members involved. It's a fast turnaround, with each person handing the mic straight to the next person. Obviously optional - where whoever wants to do it comes up to the front before we start.

Pub

As usual, we headed off to the pub after the meetup. Due to the football being on, and our usual pub being crammed, we decided to change pubs and try the Old Tom instead. This actually turned out to be a better option moving forward! Seemed much quieter and there was a larger shared area for our "geek outs"!

Speaking of geek outs - there was a serious Azure-related verbal diarrhoea competition going on between Frans and Duncan this time! :) And I thought I knew about Azure! Very cool, and great to meet Duncan again after initially meeting him down at the .NET South East: Codeathon and Meetup in Brighton earlier this year!

I also want to give a quick shout out to James, Tom, and Tim who pretty much always make the pub after each of our meetups, including this one!

Upcoming Meetups

We're now in a position where we have all of 2018 planned out! Not all have yet been announced, but hopefully this'll be sorted very soon. You can see a list of the events that we have announced on our Meetup.com Event page.

Also, remember that in June we have another lighting talk event, and we still have a little bit of space available if you'd like to do a talk! It doesn't matter if you've never done a lightning talk before - this is one of the great things about the lightning talk events. So if you're interested, do give me a shout!


Please retweet if you enjoyed this post ...