Presentation on HTML5 Security, Part-2 - OWASP Hyd

In continuation my previous talk on HTML5 Security at OWASP Hyd, I have covered few more interesting concepts at OWASP Hyd August meet. Slides are more or less the same as my previous session but it was more demo driven where I've shown known security problems and secure coding practices to be followed while using HTML5. 

I've been committing some of the basic demos whenever I find time into my github account. I shall blog more about some interesting topics very soon.

Browser Internals: Content Isolation with Same Origin Policy-Microsoft UG Dev Day

Microsoft User Group Hyderabad (MUGH) has organized Developer Day at Broadridge Financial Solutions, Hyderabad this weekend. It was a half day event with very good line up of sessions and I had the opportunity to present on a very exciting topic-"Content Isolation with Same Origin Policy".

"Same Origin Policy (SOP)" is one of the foundations of web security, which is built into web browsers. Web developers often do not understand this policy clearly and work with several misconceptions. The goal of this session is to show how important SOP is for the web, how it is bypassed using hacks and what HTML5 offers as a standard to overcome its limitations. Getting a full understanding of SOP isn't easy in a one hour session as it is relatively vast and complex. However, I have tried to simplify several ideas and put them in one place in the slides. Folks who couldn't attend the session will also be benefitted from the slides.

Along with my talk, there was an interesting talk "One Service, Any Device, Any Platform-Web API" by fellow MVP Shravan and "A Lap around the new Windows Azure" by our super techie Phani, cofounder of BrainScale. It is really motivating to see close to 100 techies coming to learn cutting edge stuff over a weekend. That was a great time spent! See you in the next tech event. Happy coding :)

Presentation on HTML5 Security-OWASP Hyderabad

Happy to say that I had the opportunity to present at OWASP Hyderabad chapter on "HTML5 Security" on 19th May, 2012. The event had awesome audience from diverse backgrounds in security domain-security researchers, penetration testers, security consultants, few developers etc. The talk went for about 2.5 hours(yes!!) and was quite interactive. The audience were very patient, passionate and we had lots of discussions on several interesting topics.

 

I have built some cool demos for the presentation but the code is not well organized. I shall clean the code and upload to my github account shortly. I would be continuing this talk in next month's OWASP meet too.

Microsoft MVP Award and my two cents

First of all, I’m really happy and proud to say that I’ve received Microsoft Most Valuable Professional (MVP) award for the third consecutive year. YaY!! I’ve received my first MVP award in 2010 under “ASP.NET” category and in 2011, 2012 under “Internet Explorer” category. Kudos to Microsoft which uniquely recognizes and values its experts through the MVP award program.

So, how to become a Microsoft MVP? Well, this is the most frequently asked question in most of the user group meets, email conversations etc. Fellow MVP and friend Vijay Raj wrote an excellent blog post on this which gives great inputs.

My MVP story:

My first encounter with an MVP happened through a series of email discussions 4 years back (January 31, 2008 2:52 PM to be precise! I was just 6 months old in software field). At that time, AJAX start pages were highly popular and PageFlakes.com, a Web 2.0 mashup built in ASP.NET created a revolution. I wrote a long mail to the owner of PageFlakes.com with lots of enthusiasm and many queries like how he built the awesome product, how I can be a techie like him etc. I didn’t expect a reply, but was overwhelmed when I saw his reply the next day. The owner was Omar Al Zabir (Microsoft MVP for 7 years!) and he replied to my mail with this interesting link-How to become a good developer overnight! (Strongly suggest you to read this!!!).

Omar’s post had a strong influence on me and I was determined to work with passion (the MVP thing was completely out of my sight). I started with creating a web mashup something like PageFlakes in the next 4 months. Here it is!. Though it wasn’t complete and rich enough, given my experience and knowledge, that was big and the learning I had was huge!! I felt like sharing my experiences and captured them in my blog. Also, I took my learning to ASP.NET forums and helped developers who are struggling with similar problems.

Then came jQuery using which I rebuilt my mashup page (purely client side). I was learning and contributing extensively on JavaScript, AJAX, front end performance tuning, JS design patterns, jQuery plugins, browser compatibility etc. at forums, blogs, online events and MUGH for about 2 years. Suddenly, on 1st April 2010, I got a mail that I am a Microsoft MVP! Of course, I wasn’t alone throughout the journey and I was guided by amazing folks within and outside Microsoft. Thank you all for molding this wet clay!

The moral is, I worked rigorously with lots of passion and shared my learning, without worrying about “how to become an MVP”. Year on year, I maintained my consistency in learning and sustained sincerity without worrying if my award will be renewed. If Microsoft had not come across my profile, I wouldn’t have been an MVP but still I would be having my hard earned learning with me, which is the key towards a bright career. If you are a new MVP, just don’t get sick and count days before your MVP renewal date (am not kidding!). There is a lot to life beyond an award.

By the way, if you too are passionate and find all this interesting and relevant, tweet me for any help. I still remember how much I looked for help.

My gyan for fellow/new/wanna-be experts:

In the past 3-4 years, tech community has grown a lot. Thanks to Twitter/Facebook which made tech communication across geographies easier. There are several passionate developers, new MVPs every quarter, promising community folks etc. whom I/we interact with. While many of you are doing it right, here are few tips for those who are doing it wrong! (Strictly my personal opinions/beliefs and no way related to MVP award program).

  • Focus on gaining depth and hands-on expertise in the technology/area of your interest. Don’t just be news aggregators-there are enough social media sites for this purpose.

  • Please, please don’t try to impress existing MVPs, folks from Microsoft on Twitter/FB for the sake of award or other expectations. If you are an expert and contributing genuinely, Microsoft will find you and reward your efforts.

  • At any point of time, quality beats quantity. If you are writing, say, 365 blog posts/year all alone, you need to question the quality of your learning. There is enough documentation on “How to create a new ‘xyz’ application in visual studio” at MSDN. If you refer MSDN articles, explain the same with screenshots and call it expertise, I pity your ignorance.

    Instead, build something which solves existing technical challenges or dives deep into a subject and show it to the world. Doesn’t matter even if you write 1 or 2 blog posts per month but make sure your learning is rock solid and has good impact.

  • Microsoft is definitely one of the best employers to work for. However, don’t look at MVP program as an entrance to bag a job at Microsoft. Understand what you really want to do with the expertise you gained. Be patient, don’t be desperate and hasty.

  • Just that you want to be an MVP or you are a new MVP, you need not kill your instincts, become a fanboy and boast about Microsoft’s products/technologies. Stop that. Appreciate the good, help improvise the bad.

  • You are/wanna be a tech expert and not a sales representative. Speak the internals and stop surviving with “new features in xyz language”.(e.g., If you love programming, at least know closures, continuations, callbacks, recursive programming etc. Learn Lisp or may be Scheme and see how ideas in them are related to the new features in C#. You will love your code.)

  • If you are working on Microsoft technologies/products, it doesn’t mean you should not work on open source ones. How many of you have appreciated the beauty of Git and GitHub? There are some brilliant projects on GitHub which you can fork/follow and learn. Do you know that you can set up a full fledged blog on GitHub for free using Jekyll (a ruby gem) & Disqus?

  • Don’t convince yourself that you have read the entire material on a particular technology and you don’t have anything to do till the next version releases. Foolish!
    Just check the extraordinary and evergreen research going on at universities like Stanford, Berkeley, CMU. You will be amazed. When you are writing about HTML5 syntax in your blog, researchers are coming up with innovative ways of solving severe security flaws at protocol level and giving you a simple syntax. Grow up and widen your learning.

Hope the post provided useful information and motivated you enough for gearing up to the next level. Let me know what you feel in the comments below. Happy learning! Smile

JSFoo Chennai 2012–”JavaScript is mischievous. Handle 3rd party content with care!”

It is always exciting to attend a technical conference focusing on a particular theme and even more if you get the opportunity to present. Continuing their good run, HasGeek has organized JsFoo Chennai 2012, India’s first JavaScript conference series, at IIT Madras Research park. There were several interesting proposals made and mine got voted for the final schedule along with other awesome entries.

My session is about the security considerations one should think of while integrating 3rd party JavaScript content into their site (in other words, security of web mashups). 

mashups

Presentation: Click here

Demos: Recursive Mashup Attack and Clickjacking

Learning aside, the best part is, I’ve met several awesome passionate geeks, few whom I know on twitter and few I would have never met otherwise. Loved the event even more, since people working on different platforms and having good expertise in JavaScript came under one roof and discussed. Diverse opinions and lots of learning!!

For those who missed, check JsFoo site for videos of sessions, which will be uploaded shortly. Also, here is an interesting review written by one of the attendees.

Secure Web Messaging in HTML5–Microsoft UG Dev Day

Happy to say that I have presented on this interesting topic at Developer Day organized by Microsoft User Group Hyderabad (MUGH). Not sure if any other monthly User Group meet would attract 150+ audience over a long weekend!

image

Presentation: Click Here

Demo: Click Here

The half day event went very well with 3 exciting sessions – Coding for fun with Kinect by Abhijit Jana, “I Love HTML5” by Shravan and the above session by me. All the sessions were very interactive and we had a very good technical weekend. Hope the huge turnout continues for rest of the events in the User Group :)

Hack Your Way with the F12 Developer Tools-Virtual TechDays 2011

Happy to say that I have presented at Microsoft Virtual TechDays 2011 in Developer's Track. It was a 3 day online technical event (Dec 14-16, 2011) with ~75 sessions from 84 Industry experts on Microsoft technologies.

My session is titled "Hack Your Way with the F12 Developer Tools". The developer tools that come with Internet Explorer 9 are a powerful aid to solving compatibility, network, script profiling, and performance issues; debugging code; managing HTML and CSS; editing on the fly and validating markup; and last but not least, inspecting HTML, CSS and JavaScript.

Presentation: Click here

Though I could not meet developers in person, I enjoyed presenting a demo filled session, which I hope would be useful for developers. Happy learning!

It is this easy to steal your click!-DevCon 2011

The memories of DevCon 2010, where I presented on “Facebook Apps Development” are still fresh in mind and DevCon 2011 is back! This time I have presented on “Clickjacking”, one of the popular modern web based attacks, using which an attacker can steal user’s click. The session is heavily inspired by the research done by Stanford Security Lab & Internet Explorer Team. It focuses on explaining how users fall prey to clickjacking attacks and what care web developers should take to defend against them.

The event, organized by Microsoft User Group Hyderabad (MUGH), had more than 300 audience and was held at Microsoft Hyderabad campus. 

agenda!

Presentation: check Slideshare

Demos source code: check GitHub

There were several interesting sessions presented by speakers on cutting edge topics such as Windows Azure, ASP.NET MVC3, Bringing HTML5 experiences to ASP.NET website, Patterns & Practices in C#, SharePoint 2010, SQL Server Denali and Knotting Windows phone 7, Azure & Kinect. The audience were very enthusiastic and interactive, which made the sessions lively. Nice to meet several techies in the event. The learning I had was huge while preparing for this session and answering Q &A :)

TechEd on the road-new features in ECMAScript 5

Happy to say that today I have presented at "TechEd on the road", a developer conference at Microsoft Hyderabad, on "JavaScript APIs and enhancements in ECMAScript 5". It is one of the premier tech events, organized by Microsoft User Group Hyderabad (MUGH) with audience in both developer and IT Pro tracks.

 

As in most of my sessions, I tried to use web based presentation instead of traditional power point. I developed my presentation using HTML5, jQuery and leveraged the new features of ECMAScript5, just to showcase a real time demo.  The response of the audience and fellow speakers was very cool and probably the presentation was worth the effort :)

 

Presentation & Demo: Click here

 

Note that you need ECMAScript5 supported browser to run the slide show. You will get a prompt if your browser doesn’t support ES5. Run it in full screen and use 'right', 'left' keyboard keys to navigate.

 

For the presentation, I have checked several existing solutions like S5, HTML5rocks slides etc., but I wanted inline code snippets as demos . So wrote my own slide show system and it came out well. Probably, I shall write another article on how I have developed it.

 

Have thoughts of generalizing this web based slide show and releasing it on github/codeplex. Play with the presentation and get back with your thoughts :)


Update: You can check about the proceedings and pictures of the event in my friend Phani's blog.

Integrating Social Networks with ASP.NET-Virtual Tech Days 2010

Happy to say that I have presented at Virtual Tech Days 2010 on "Integrating Social Networks with ASP.NET" in Developer's Track. It was a 3 day online technical event (Nov 22-24, 2010) with ~75 sessions from 55 Industry experts on Microsoft technologies.

My presentation: Click here

Demos: Click here

The sessions were scheduled for Developer and IT Pro folks, spanning over Web Development, Windows Client Development,  Database and BI Development, Windows Client, Online Services, Security, Rich Web Experiences, SharePoint 2010, Windows Azure, Datacenter, Database Administration, Interopirability with Microsoft Technologies and Hands On Labs. In case you missed the event online, you can download the presentations and videos from the site shortly. 

Though I could not meet developers in person, I enjoyed presenting a demo filled session, which I hope would be useful for developers to start off with social networking APIs in their ASP.NET websites. If you couldn't get a chance to ask questions during the session, you can always tweet me.

So what next? Microsoft Community Tech Days is coming on December 18th, 2010. Venue is Microsoft Hyd campus. I've seen lots of hot topics being prepared by community folks! Dont miss it!!

Happy programming :)