I've summarised some of the most interesting/important parts of my TechEd 2013 NZ notes here.
Keynote
AZR301 Building Real World Cloud Apps with Windows Azure - Part 1
Automate Everything (Everything that can be done in the Azure portal can be automated. Rest API. + Powershell commands. Azure script site with templates)
VS2013 has built in support for Git.
Continuous Integration and Delivery - http://tfs.visualstudio.com
Web DEV Best Practices
Scale out our web tier using stateless web servers. Dynamically scale our web tier based on actual usage load.
Multiple load balancers (Layer 7) can split requests to multiple VMs running IIS. Can handle server failure and start up a replacement VM. Lots of redundancy to handle failures.
Auto scaling rules based on time of day. Schedule times. Day or night for timezone. Logging shows scaling history.
2 Core 4GB VM is a good starting point.
Instance count range and CPU load scaling.
Avoid using session state if possible. Prefer the cache provider if possible. Use CDN to edge cache static file assets. Use .NET 4.5 async to avoid blocking calls.
Single Sign on. - Windows Azure Active Directory (AD). Can be linked to on premise AD. Can be integrated with Salesforce. Wizard to setup sync all the users to the cloud.
Data Storage
SQL Database (Relational)
Table Storage (NoSQL Key/Value Store)- Advantage to store peta-bytes of data.
Blob Storage (unstructured files) – More like a standard file system.
Virtual Machines to host other options.
Slide – Data Storage Questions to Ask. Pros and Cons slide.
Data Scale and Persistence
Volume – MB/GB/TB/PB
Velocity – How quickly will it grow. Twitter – Fast data creation but only interested in most recent data.
Variety – Relational, images, key-value pairs, social graphs.
Scale out your data by portioning it.
Vertical Portioning. Split image data out of relational database into blobs.
Horizontal Portioning (Sharding). Split rows between databases based on some key (e.g. User last name).
ARC303 Hack-Ed: Wheedling and cajoling your way to success
Andy Prow and Kirk Jackson
Backtracking in RegEx can cause significantly increasing CPU workload. Reg Ex being used can be exposed client side with client side validation.
XmlDocument .Load expanding entities in the doc type. Can cause full CPU and rapidly expanding memory usage.
Cookies leaking out due to transitions via HTTP and HTTPS.
Wireshark. Exposes Client cookies sent over WIFI network.
File Upload Cheat Sheet - https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet#File_Upload
Highlighted Dapper SQL Injection Risks
Information Disclosure
Entity expansion is not limited to string literals though. It could very well refer to external data like the example below.
If this document is somehow reflected back to the client it would result in disclosing information on the server that a client wouldn't have access to.
App202 Zero to Hundred - EventFinda comes to the Windows 8 store
Donnel Cyril and Mohit Singh
UI hidden is UI that doesn't exist. Primary controls on screen for search.
Incremental data loading. Lazy loading via ISupportIncremantalLoading to keep delays under 3 to 4 seconds.
DEV302 DevOps at LightSpeed, lessons we learned from building a Raygun
Jeremy Boyd and John-Daniel Trask
Octopus Deploy - Automated deployment to staging the production environments
Git - create a topic branch for any new task
ElasticSearch - for scaled search. Plus REST .NET API for interacting with it.
Redis - Out of process cache that can handle Key value pairs, queue data structures, hash structures
ARC305 Hack-Ed: Develop your Security Spidey-Sense
Andy Prow and Kirk Jackson
Indicators of potential security flaws in a website
Unlocked Vault
Dropping out of https to http - certain cookies should be marked to only send over https. Add Strict Transport Security header
Strict-Transport-Security: max-age.
Sesion abandoning on login. Especially from http to https
Password field with length and/or character limit - May indicate that it isn't being hashed and salted on storage.
Files that expose secret content (robots.txt, sitemap.xml)
Cached search engine results.
Too Trusting
Too many invalid password attempts. Use the brute force detection built into ASP.NET Membership Provider (max invalid password attempts, password attempt window)
Change password without entering existing password
Characters give errors, or display incorrectly: < ' " ; UTF smiley face.
Client only validation of user input.
User content displays directly on screen unescaped. <
No random tokens in the form data. CSRF
URLs are in the query string
SQL statements in the query string
Spilling your secrets - Information is being leaked out of the system.
Signup or password reset contains an existing password - should use one time URL for resetting password.
Site lists characters that are banned in text fields
Customer id (or similar object reference) in the URL
A number in the URL that increases by one (or in an obvious format)
You can tell the underlying technology
Back door is open - Front-door security is good but someone's left alternative avenues into the system.
Sensitive data is unencrypted
Authorisation - by URL or menu
Admin site available to the world - god mode. Separate God mode app.
Production data in a test environment. Dev laptop has production data / credit card details but no security of production.
D.I.Y Security
Doesn't use out of the box forms authentication
Custom single-sign-on
Home-built encryption
Dodgy Foundations - There is a poor underlying architecture or technology.
Mix of technologies (PHP and ASP.NET)
Cross-domain javascript / CSS
Rich Client components
Old OS, server, ASP.NET version
Built using Webforms
Writing directly to disk
Risky Business - Features requiring strong security have not been done
Application accepts file uploads
Parsing XML, HTML or other file formats
Credit card payments
Mobile app talking to API.
DEV304 C# on a diet with scriptcs
Glenn Block
Node.js - No IDE or project required. Minimal install
Microsoft Roslyn CTP - Compiler as a service
scriptcs - No IDE, project, class, namespace, Using statements
.csx is the Roslyn file extension.
http://choclatey.org/
#load to pull in seperate .csx
#r "System.Data"; // Get DLL out of GAC
using System.Data;
Visual Studio load in exe. Add - debug. Can be used to hit breakpoint.
Can be run standalone. REPL.
ScriptArgs[0] - access command line arguments. Anything after --
Can be used to create full line command line tools.
scriptcs - install mongodb
packages.config to pull dependancies
Removes need for #r from GAC.
Script Packs - Require
(); // Will discover from Packages folder. Skips need for using.
Hosting
- Host scripts within an existing app.
http://github.com/scriptcs/scriptcs
Day Two
DEV305 Level up your API with Hypermedia
Amy Palamountain
Hypermedia.
Reduce the overhead of updates. Client can adjust to changes dynamically. No need to support older version of the API. Self navigation of API.
Primary Concern.
- Accessible
- Consistent
- Descriptive
- Flexible - shield from breaking changes.
GET/POST/PUT/DELETE/>
HEAD/PATCH/COPY/PURGE/LINK/UNLINK/OPTIONS
DEV306 10 F# Features Every C# Developer Should Crave
Ivan Towlson
F# match expression. No side affects to set the variable
immutability - Given by default in F#. Lots of extra effort in C# to hide behind Get only properties and equality overloading.
Discriminated Unions - Creating a parser. F# is more concise and isn't open to extension like the c# abstact base class.
non-nullable types
f# types can't have null values (unless interop with other languages)
infix notation - Can only overload existing operators in C#. F# can define new ones.
Partial application
Pattern matching
Units of measure
APP308 Working with devices; integrating into peripherals for Windows 8 and Windows Phone.
3D printing.
Location awareness
Fingerprint scanning. Biometrics instead of passwords.
Scan barcodes and read magnetic stripes. POS scanners.
Use geofence enter/exit to trigger app actions.
Manage virtual smart cards for remote.
Scan documents and images with scanners.
Bluetooth and low level USB. Native USB rather than relying on third party libraries.
Security - WinRT apps must declare deviceCapability. HID - humaninterfacedevice (emulates a keyboard for cammands). Does not require drivers. USB takes a more complicated payload.
New generic USB devices.
Bluetooth 4.0 GAP
APP309 Taking advantage of Windows 8.1
Use the canvas for the primary application buttons
AppBar hints similar to Windows Phone
Provide a great search experience inside the app. New dedicated control SearchBox
Snap view replaced by varible widths.
Moving past single screen and touch.
Kiosk mode
SpeechSynthesizer
Second screen support. ApplicationViewSwitcher.
XAML Dev differences
Flyouts.
SettingsFlyout
Input Controls Header control
DatePicker
PlacholderText
AppBarButton, toggle
CommandBar
PDFDocument. Get individual pages.
MediaElement. Includes playback controls. Embed YouTube.
DEV309 ASP.Net WebApi – Whats New
Open Web Interface for .NET (OWIN)
Attribute Routing
Removes need for configuring the routing in the config. Instead use the Route attribute. RoutePrefix to apply at the class level.
Special case routing with RegEx matching.
Routes stay with the code.
config.MapAttributeRoutes().
Helps avoid routing issues.
CORS
Cross Orgin Resource Sharing
Generally will only work with the newer browsers. IE 9+
Access-Control-Allow-Origin: *
OData
Edm Model != Entity Framework Model.
Discover
$select to pull specific columns. Can be useful to exclude image data columns.
ODataConventionModelBuilder
Makes Services Easier.
DEV310 Not MacGyver's JavaScript - Better Client Side Architectures.
jQuery - DOM abstraction library -
Gets complicated really quickly.
Should be used as a single tool rather than a soltuion to everything.
Focus on the object model.
Frameworks - generally prescriptive, sometimes restrictive. Hollywood principl.
Library - generally focused and to the point.
Backbone.js Library
Models - data and associated functions
Views - UI backed by a model
Events - Bind and trigger custom events
Router - Provide linkable URLs
Problems with backbone:
Complexity isues with scaling.
Headaches with Routing Insanity.
Events can become really complex.
Memory Leaks (Zombie Views) View Events didn't unbind.
Most of the pain happens in the Router and the View.
"The secret to building large apps is never build large apps. Break your...
Modula/ Component Application.
Modules are decoupled from each other. Removing one does not affect the other.
Application Orcastration as a first class concern. Responsible or the orchstration of the modules.
Marionette.js - helps build composite apps with backbone.
Backbone extensions to remove boilerplate code. (ItemView, CollectionView)
Avoids ZombieViews by unbinding.
INO301 Building Apps with the Kinect for Windows SDK
v1.5 More Sensor data, IR, Accelerometer, Camera Settings.
1.7 Kinect Fusion. 3D scanning.
Kinect will consume about 60% of a single physical USB port.
Stride, # of bytes per single line
Day Three
DEV312 Pick your poison; pick your target - multi-platform development with .NET
Xamarin
C# with the .NET rather than the JVM
It is not write once use everywhere. UI created differently for each platform. Would otherwise give you lowest common denominator.
iOS will run ARM Binary to run natively. Ahead of time compilation. Certain things like reflection and generics won't work.
Android can run IL+JIT
Can run Windows, Android and iOS emulators.
"On the Mac, when it's time to upgrade, you just pick it up, throw it away, and buy a new one."
Ensure Windows VM uses two cores. One for its internal VM. Enable HyperV
Project Linking
APP213 Game On - Cross Platformer
DoDo gogo using - HTML5, impact.js, Canvas. Three.js
HTML Drawbacks.
Draw Call Efficiency. Particle Effects. High Asset Count
Audio Management (good), but not fine grained.
Tooling - not storing tools for HTML games development.
Unity IDE for games
Example games using Unity - Jelly Run. Template Run
Advantages:
Pipeling - import photoshop file.
Tooling - All the tools to manage and manipulate a game.
Performance Tuning
Asset Store - get assets.
3D
2D (Unity 4.2 built in)
Multi-Platform deployment.
Code Typically written in C#. Runs on mono and targets .NET 3.5
Can pull .NET 3.5 Libriaries into the Unity Assets/Plugins folder.
Basic support for async/await. But doesn't extend to Task return types.
Use common assembly name between Unity .NET and Windows 8 Library to work with both.
Unity can process each asset on import and adjust to suit the platform. E.g. down sample for Windos phone.
Build config on Phone Solution to "Master" (rather than debug and release) have debug support.
Shaders run on the graphic card. Shader runs on Materials.
Cross Platform Considerations.
- Store approval requirements
- Automated certification tests
- Start packaging early
-
Know Your Devices
- High memory
- Low memory
- Resolution
- Graphics capabilities
- Aspect rations
- Device Capabilities
Implement anaylitcs. The most popular level may be the hardest level. Nuget import for anaylics in Windows phone.
Unity3D.com
Unity Answers
DEV414 Taming Time: A Deep Dive into the Reactive Extensions
The async await pattern does not compose very well.
IObservable. Nothing in .NET 4 implements this interface.
Reactive Extensions - where to get the IObservable and how to work with them.
IObservable.Subscribe - OnCompleted, OnError, OnNext
RE - Subscribe takes a delegate/callback.
Dispatchers . Invoke. Instead use .ObserveOn() so it runs on the dispatcher thread.
.Timestamp()
.DistinctUntilChanged()
IQbservable - passes query off to the remote datasource and will only the filtered results.
Applies the filters much earlier.
DEV316 Getting started with Git: A .NET developer's guide
Ian Randall
Record changes to file(s)
Restore
Who made the changes
Centralised VCS.
- Collaborate in teams
- Server contains history
- Client contains working copy.
Issues:
- Heavy network usage / slow
- Single point of failure
- Typically poor offline experience
Distributed VCS
- Repositories
- Fully offline
- Mostly local commands - fast
git-scm.com/doc
Basic commands
$ git init MyProject
$ git add Readme.md
$ git status Changes
Files must be added to the staging area.
Commit - Commit changes to the repo. Working directory clean
$ git commit -m "Added Readme"
Unstaging - reversing add
$ git reset HEAD
Unmodify changes
$ git checkout --
Branching - Git's killer feature
snapshots - Git doesn't store deltas. It stores the whole file. Uses compression in storage.
Metadata
Pointers
A commit contains:
pointer to the sanpshot...
Labels for HEAD and master.
$git branch
$git checkout
Moves HEAD to the feature branch.
Merge or Rebase.Rebase can make it easier to read the history, but alters the previous SHAs. Rebase best when only done locally to code that isn't pushed to others.
Distributed
Git on the Server - Subtly different to client/server
Git clone <path>
<ssh://user@>
user@server:project.get
https://foo.bar
$ git remote - verbose
$ git remote add alias <foo>
Remote branch
Pull the latest versions from the server.
$git fetch origin
$git fetch
$git merge
$git pull
Push to remote
$ git push origin master
Pull Requests - Asking someone else to get your changes into their repository.
Git support in Visual Studio
- Select 'Git' as Source Control type in VS2013
- Integrated experience
- Brand new, but maturing
Git Extensions very good on windows.
DEV415 The conjurer's masterpiece - hiding complexity with async
"Asynchronous programming involves the coordination of multiple concurrent processes"
Blocking can be dangerous:
Scarce resources (threads): UI threads (this is only one), Javascript, I/O
Expensive resources: .NET ~1MB per thread memory usage. Threads are only added to the ThreadPool slowly.
Too many processes to coordinate. 'Duplex' connnections - long running process per user
Callbacks split implementation up. Intention is out of sequence.
Promises - Ordering correct, but exception handling is hard. Plus a large amount of ceremony code.
async/await - resembles the blocking code flow structure to make following the process easier. Exception handling matches the standard synchronous technique.
Async is a "MethodBuilder iterating over tasks and awaiting on the results"
Tasks - The results or promise of a result from asynchronous methods
Awaiters - Holds a collection of continuations, TaskAdapter
acts as adapter for a Task
MethodBuilder - Coordinates the running of an async method. How does it iterate over the Tasks.
Continuations - What do I run when the task is finished?
Schedulers - How do I run the continuation
Practical async in C# - 6 things to know
Use TaskCompletionSource to create your own Tasks - 
Make sure all Tasks are observed. If it returns Task make sure you await it. Important for exception handling.
Be careful with async void - can't await for the results and can't catch exceptions. Rule of thumb - "async void is only for event handlers at the top of the stack."
Use .ConfigureAwait(false) when possible - help avoid multi-threading issues. Don't come back on the same thread if the returning thread isn't important. Useful for library code.
Async void can still be unit tested -
Visual Studio 2013 - Simplified debugging - Windows > Tasks - Shows all tasks that are currently active and improved stack trace.
Other interesting talks:
ARC214 What Did Your Last Presentation Die Of?
Using a selection of techniques from his book "Stories That Move Mountains" Martin Sykes from the Microsoft Services, Enterprise Strategy Centre of Excellence will explain how to use storytelling and visual design techniques to effectively influence your audience and communicate your architecture. In this session we will cover the theory and wide range of examples.
DBI302 What's new in SQL Server "2014" - feature drilldown
DEV313 What's the deal with Node.js?
APP312 Fast and fluid - making your Windows 8 applications fly
INO106 Innovation at Trade Me: from FedEx to Spotify - Second highest rated speaker behind Scott Gu