Security

A single developer completes a full Help Desk Ticketing System completed in only 8 months

A new Visual WebGui RIA Platform showcase was published on visualwebgui.com.
A full Help Desk Ticketing System completed with 1 developer in only 8 months by Golden West Technologies.

Visual WebGui provided the platform to build Help Desk Ticketing System solution that actualized the requirements and met the challenges as a cost effective alternative to other RIA platforms. The drag and drop page development experience was an enormous benefit. This compared to the hours it would take to build the same pages with traditional ASP environments. “Visual WebGui claims of 90% reduction in development time and providing the bridge between desktop and web technologies were substantiated through the design, development, and deployment of our help desk software solution.“ Brian Butterfield

Brian Butterfield added that “There is no other software platform on the market today that can give traditional desktop application developers the ability to transition that knowledge and experience directly to a web development environment – providing an unprecedented development experience.”

UK’s largest independent care provider builds a new web based monies system with Visual WebGui

"Using the WebGui approach meant that in spite of our small team we could quickly create an industry leading solution in house according to the requirements which resulted in significant cost savings." Ewan Walker, Craegmoor IT Team Leader

This new case study published on www.visualwebgui.com showcasing Craegmoor's in house conversion and enhancement of their desktop existing MS Access client monies application to a web based solution.

"Using the Visual WebGui technology to enhance the existing desktop MS Access based tool, provided the new solution with access through a standard Web browser which requires no plug-ins or other client-side software, virtually eliminating installation and IT support time. The improved application speed and response has resulted in an end user satisfaction and an overall improved process management which increased client and customer confidence as the full integration with legacy applications removed the need for reconciliation between systems and work in line with agreed business practice.

Visual WebGui Rich Internet Application Platform migration tool allowed the Craegmoor IT team to create an industry leading solution in house quicker and more cost-efficiently than with any other solution. The in house development not only saved the IT team development expenses but also means that maintenance should cost less and the response to any changes in legislation can be very quick."

The full Case Study is available here:
UK’s largest independent care provider builds its new web based system with Visual WebGui

Visual WebGui 6.3.1 development environment versions Released

Gizmox released Visual WebGui RIA Platform/Framework developement environments' version 6.3.1.
This is a stabilization of 6.3 and another step towards a release version. The new version brings a significant enhancement in cross-browser support with full compatibility for Netscape and added support for popular browser like Chrome, Safari and Opera.

All 6.3.1 downloads can be found here.

This is the change log for version 6.3.1

Change log
VWG-4038 - Browser support added (alpha level) for Chrome, Safari and Opera.
Netscape is fully supported.
VWG-3820 - Users can now install any of the VWG installations only if they have Administrator permissions on that machine.

Bugs fix
VWG-4030 - TextBox with databinding was not updated when bound datasource changed from field with data to empty.
VWG-3976 - ContextMenu was not shown in FireFox.
VWG-2913 - When image was larger than PictureBox and set to Zoom it did not rendered properly.
VWG-3718 - ComboBox displayied the word null when item was blank.
VWG-3944 - Databound DataGridView bug when entering value of first column in newly added row fixed.
VWG-3963 - ListBox did not fire Click event in FF3.
VWG-3877 - Combobox dropdown is opend on enter with tab and not on leave.
VWG-3958 - ScheduleBox WorkEndHour property setter fixed.
VWG-3901 - TableAdapters and DataSets are shown on component tray (bottom of designer).
VWG-3830 - Dragging scroller above controls which contains editable IFrames in FF fixed.
VWG-3938 - Navigation keys did not function in text boxes under FF.
VWG-3816 - Focus transfer from bound TextBox to Button doesn't work on Tab key press fixed.
VWG-3898 - When opening a ComboBox dropDown the scrollBar covered the text on the left.
VWG-3825 - VWG Documentation registration fixed.
VWG-3887 - MouseEventArgs.X and Y in ListView MouseDown event are not set with true value.
VWG-3886 - ListView.Click events SelectedItem is set now to the right item.
VWG-3792 - UniqueIdExtender is availble in design time and the CUID is available in generated HTML code.
VWG-3890 - In 'Add Inherited Control' wizard, WebGui.Forms Assembly controls were missing.
VWG-3832 - Tab pages images design time bug fixed.
VWG-3818 - Label Text was cut and did not go to next line for labels with defined width.
VWG-3847,3841 - DataGridview - add new row to a Binded DataGridView throw an Exception.
VWG-3849 - TextBox.Text == string.Empty problem fixed.
VWG-3845 - Watermark textbox throw a JS error on focus in IE.
VWG-3885 -OpenFileDialog did not fire FileOK event in FF3.
VWG-3826 - Standalone .CHM fixed and used as a standalone help file.
VWG-3838 - SplitContainer did not retain it's SplitterDistance when form was saved.
VWG-1996 - Timer intervals bug after opening dialog window fixed

Visual WebGui AJAX Framework

The Visual WebGui RIA Platform Technology - Overview

This is the first article within a series of articles that explore the technological aspect of Visual WebGui's RIA Platform features, benefits and usage scenarios.

This article is a “General Overview” of the technology aspects of Visual WebGui which will be followed by a series of 10 detailed articles released each week for the next 10 weeks. The next articles which will explore Visual WebGui's technology by diving into each of the technological aspects and will be structured as following:

Introduction – a general description of the explored aspect.
Overview – a technological overview of the aspect
Summary – Summary and further relevant considerations.

These are the different technological aspects of Visual WebGui which will be explored by the following articles:

Aspect 1 - Visual WebGui in Microsoft’s technologies stack

Technologically Visual WebGui can be best describes as an extension to ASP.NET for application development and deployment.As such the best way to start over viewing the solution would be by exploring Visual WebGui position in Microsoft’s technologies stack.

Aspect 2 – Command level virtualization

Being a server centric architecture; Visual WebGui presents a unique mechanism of balancing between the server state and the client UI rendering state at any given point of time.

This aspect is crucial in the path to understanding the following other aspects:

Security
Performance
Scalability and deployment economy
Multiple Presentation Layers

Aspect 3 – Security

Visual WebGui presents the “Empty Client” model, a paradigm shift in which the client downloads a kernel of plain and static code which is responsible for further communication with the server. This concept is secured by design as the client code cannot control the server behavior under any circumstances.Visual WebGui does not solve the entire issues spectrum of securing your applicative environment, however, by shifting the issue to more comfort zones which are the middleware communication between the client and the server and securing the server, the security problem becomes solvable, controllable and reach military grade easily.

Aspect 4 – Performance

Being a server centric architecture, Visual WebGui is an immediate “suspect” for being less responsive or for suffering from high latency. This suspicion is far from being true, on the contrary Visual WebGui has proved to be more responsive than pure client side solutions due to the fact that Visual WebGui extremely reduces the CPU usage on the server, optimizes the communication protocol between the client and the server to a degree never realized on web before, optimizes the UI rendering and leverages the client power when it can create a better responsive experience. With this mechanism Visual WebGui offers an optimal balance of communication between the server and the client.

Aspect 5 – Scalability and deployment economy

Visual WebGui is fully scalable and redundant across web farms due to a unique capability of enabling serialization of the entire state model into a floating state server (preferably cluster DB based state server).A single IIS server can server between 200-400 concurrent users and even more since it reduces the CPU usage dramatically.

Aspect 6 – Multiple Presentation Layers

The outcome of Visual WebGui architecture is a generic object model that is completely separated from UI rendering. This architecture which is often described as decoupled presentation layer provides the ability to render the UI and consume the application practically from any device which can receive and send XML.The application itself runs on the server and acts on objects containing only metadata and data and the client only renders the UI as reflected from the current application state on the server.

Aspect 7 – WinForms API Development and Migration Tool

The fact that Visual WebGui flattens web development to a single layer, made it possible to select the most productive and intuitive WYSIWYG development paradigm which is WinForms.Visual WebGui mimics WinForms API in order to provide the entire toolset available for desktop application development including Data-Binding, Layout options (anchoring, docking etc.) and a visual WYSIWYG designer.Due to the similarity of Visual WebGui API to that of WinForms API, it is quite a straightforward and natural process to transform any native WinForms Application to Visual WebGui and by that provide an application which can be consumed either as a desktop application or a plain web application.

Aspect 8 – Extensibility and Custom Controls

Being pure web architecture, Visual WebGui utilizes the web server and client technologies underneath; therefore, it is possible to create new controls based on the same concepts and set of tools in Visual WebGui. The various extensibility options will be explored further in this document.

Aspect 9 – Visual Designer Extendibility

Based on the fact that Visual WebGui uses WinForms designer to develop generic web applications, it also provides designable controls. Not only the controls are inheritable and extensible but their designer behavior can be customized and new designer behaviors can be created for custom controls.

Aspect 10 – Technical aspects in cloud computing scenarios

Being a highly optimized server centric architecture; Visual WebGui has high value and support the model of cloud computing scenarios in terms of compatibility and considerations.

This information can also be found on the Visual WebGui platform technology section.

Migration Tool

A new Technology section launched on visualwebgui.com

A new Technology section was launched yesterday on the visualwebgui.com website which explores the basic technology aspects presented by the Visual WebGui solution.

The first subject “What is Visual WebGui?” provides the initial background on Visual WebGui, its features, benefit and usage scenarios. Then there is a deep dive into the following technological aspects of Visual WebGui:

What is VWG
Position in MS Technologies
Command Level Virtualization
Security
Performance
Scalability and Deployment Economy
Multiple Presentation Layers
WinForms API Development and Migration Tool

Visual WebGui platform remains un-hackable after 3-month security challenge

More than 1,700 users attempted to break into the Visual WebGui pipeline unsuccessfully during the $10,000 Security Challenge that ended this month after airing for over 3 months.

The contest offered $10,000 prize to anyone who could break into the Visual WebGui pipeline via the Visual WebGui NOC web application and required participants to provide a reproducible pathway into the Visual WebGui pipeline in order to claim the prize. Despite by more than 1,700 break-in attempts, Visual WebGui was not hacked and the prize remains unclaimed. The Visual WebGui "Empty Client" architecture is secure by design and provides bullet-proof security to AJAX and Silverlight applications. The Empty Client approach means that the entire application flow, UI logic, and validations are developed and processed on the server and virtualized on the browser while the web browser serves as a “display” for the output and a “receptor” for user input. Thus, only essential UI data is sent to the client, which includes no applicative or sensitive data, preventing the break in and theft of confidential information on the server.

Navot Peled, CEO and founder of Gizmox commented: "The fact that no one was able to successfully hack into the Visual WebGui pipeline shows that Rich Internet Applications developed with Visual WebGui are inherently safe and secure by design... As the Empty Client name indicates, the client holds no data or logic, and every action the client wants to take must be authorized by the server first. Not only does this significantly increase security, but the Empty Client design allows events to be raised on the server for every client action while also remaining flexible enough to make web applications responsive, scalable and customizable, enhancing the end-user experience."

Read the official Gizmox Security Press Release or learn about the Visual WebGui Security concept

The 'Empty Client' AJAX Approach

The new 'empty client' approach lead by Visual WebGui to AJAX is set to offer fundamental, infrastructure solutions to the three major setbacks of AJAX listed bellow. This approach shifts all processing, including UI logic to server, much like the old Main Frame paradigm did, and leaves the web client empty.

The first setback of traditional AJAX is the complexity in creating AJAX application for enterprise's scenarios which is time consuming and therefore brings doubtful ROI. The second setback is that there is a lack of AJAX technologies that can support high level data centric enterprise applications. The last but not least in importance, is security concerns as AJAX is known to raise real security concerns which enterprise applications with sensitive data cannot tolerate.

If the client is empty, everything is processed on the server. This concept enables highly productive, desktop development methodologies for web development as well as allowing complex applications running responsively on the network. Finally, since there is no data, no logic and no open services on the client, this approach presents a highly secured alternative to conventional client-side AJAX.

You can read more about the design time and runtime advantages of the 'empty client' AJAX on VisualWebGui.com

Keeping Your Data Guarded - Password Strength Check

Tagged:  

In keeping your data guarded for your application the most key area is your password. Even many developers use very week passwords to protect things like file level access, database access and admin access to web applications. The easiest way to hack into a system is to crack an unsecured password and then a hacker (or to be correct a cracker) can cripple a system or worst steal data.

Well, I have run across a good open source web application called Password Strength Checker that can be used to make a much stronger password. The applications is very easy to use, you simply type in your password and then the form tells exactly how strong your password is. The form also gives you information about what makes your password strong or weak, such as that it is too short or lacks capital letters.

You can go to the applications here. And since it is open source you can download it and run it on your server (it is released under the GPL) you can download the application here. So, if you use this or a similar application I would love to hear about it (you can leave it in the comments or write a blog about it on this blog, using your free Ajaxonomy account).

Ajax Security

Tagged:  

Over at Reg Developer they have posted a good article regarding Ajax security. The article takes a 1-2-3 approach to security and covers topics like cross site scripting and SQL injection.

Below is an excerpt from the article.

Know what runs where

AJAX is making it increasingly difficult to be sure where your code is going to run. Take the Google Web Toolkit (GWT) for example. You program in Java and the environment takes some of that code and compiles it to JavaScript that runs on the client. If you make a mistake and implement authentication, access control, validation, or other security checks in the code that runs on the client, an attacker can simply bypass them with Firebug.

Imagine you've carefully coded rules to be sure that administrative functions are never shown to ordinary users. This sounds good, but you forgot that the user interface code is running on the client. So the attacker uses Firebug to invoke the administrative functions. If the proper checks aren't in place on the server side, the attacker just gained administrative rights. Many Rich Internet Application (RIA) frameworks also have this issue.

The solution is to be very careful about making the boundary between the client and the server very clear.

Keep data separate from code

Hackers frequently use a technique called "injection" to bury commands inside innocent-looking data and get interpreters to execute their commands for them. This simple trick is at the heart of many security attacks including SQL injection, command injection, LDAP injection, XSS, and buffer overflows. Preventing injection in a target-rich environment like the modern browser takes discipline.

The key to stopping injection attacks is never executing data that might contain code. But with AJAX, lots of data and code get passed around and mashed together in the DOM. There has never been a data structure that mixes together code and data more than modern HTML.

So be very careful with data that might include user input. Assume it's an attack unless you've carefully canonicalized, validated, and properly encoded. Imagine you're invoking a REST interface and the request contains user data. The response you receive is a JSON string that includes that user data. Don't evaluate that string until you're sure that there can't be anything but safe data in there. Even just adding that data to the DOM might be enough to get it to execute if there's JavaScript code buried in there.

Beware encoding

Encoding makes everything complicated. Attackers can hide their attacks inside innocent-looking data by encoding it. Back-end systems may recognize the encoding used and execute the attack. Or they may decode the attack and pass it on to a system that's vulnerable to it.

Attackers may use multiple different encoding schemes, or even double encode to tunnel their attacks through innocent systems. There are dozens and dozens of encoding schemes and no way to tell which schemes will be recognized by the interpreters you're using. This makes recognizing attacks very difficult, if not impossible.

Every time you send or receive data both sides have to know the intended encoding. Never try to make a "best effort" attempt to guess the right encoding. You can't prevent an attacker from sending data with some other encoding through the channel, but you don't have to execute it. Here are a few examples:

Set HTTP encoding in the header:

 
   Content-Type: text/xml, charset=utf-8

Use a meta tag in the HTML:


Set XML encoding in the first line of XML documents:

<?xml version="1.0" encoding="utf-8"?>

You can read the full post here.

Ajax security is very important in developing your Ajax applications and it is something that many developers overlook.

OpenID: Do you Yahoo!?

Yahoo! has just announced that it would begin supporting OpenID 2.0 technology for both yahoo.com and flikr.com by the end of the month.

Yahoo!’s initial OpenID service, which will be available in public beta on January 30, enables a seamless and transparent web experience by allowing users to use their custom OpenID identifier on me.yahoo.com or to simply type in “www.yahoo.com” or “www.flickr.com” on any site that supports OpenID 2.0.

Full Press Release

With the addition of 248 million Yahoo! users, the OpenID user community essentially triples in size (going from an estimated 120 million users to 368 million).

More information regarding Yahoo!'s OpenID support can be found here.

Syndicate content