May 7 - 9, 2018, Washington State Convention Center, Seattle, WA
This is a summary of my notes for the most valuable sessions I attended. Notes regarding hands-on experience (labs, expo) and most sessions less than 45 minutes were not included.
- Several big high-level announcements, including partnership with Qualcomm and DJI, Project Kinect for Azure, and Project Brainwave
Building Secure Cloud Apps - Lessons Learned from Microsoft's Internal Security and Software Engineering Teams
- Microsoft pushes the culture of security to its engineering team
- Forces responsibility and accountability
- Security is hard
- Developers need to secure against everything, but attackers only need to find a single flaw
- "Attacker's advantage and defender's dilemma"
- Defender must defend all points
- Defender can only defend against known attacks
- Defender must be constantly vigilant
- Defender must play by the rules
- Attacker can choose weakest point
- Attacker can probe for unknown vulnerabilities
- Attacker can strike at will
- Attacker can play dirty
- No app is ever "secure": security is a continuous, iterative process
- Security requires 4 things to be carefully considered:
- Design (authentication, authorization, data classification, transport & storage, threat model)
- Code (secret management, code management, code quality, dependency management, static analysis)
- Environment (ARM RBAC model, network, OS, patching, encryption)
- Operations (telemetry & audits, incident management, access control, disaster recovery)
- Security Intellisense Extension preview for Azure development
- Optionally fails builds if security issues are identified
- Video recording
- 1 million new active .NET users in the last year
- Overview of some impressive .NET Core 2.1 performance enhancements
- 10x faster builds
- 123% faster data access
- Large memory and runtime optimizations
- .NET Core build support for ARM processors (e.g. Raspberry Pi)
- WebAPI development enhancements
- Debugging API will launch the API CLI
- "ls" returns available endpoints
- typing
ui
launches a web-based auto-generated UI
- .NET Core 3.0
- Focus on desktop, IoT, and AI, including WinForms and WPF frameworks
- .NET Core App Bundler will now remove unused MSIL and compile into a single executable - no DLLs required
- Existing WinForms apps can simply have their runtime swapped out to .NET Core 3.0, no other changes
- Twice as fast
- Visual Studio 15.7 can now download NuGet package source and step through in debugger
- If VS can't locate source, it will decompile it for you
- Options -> Text Editor -> C# -> Advanced -> Enable navigation to decompiled sources (experimental)
- If VS can't locate source, it will decompile it for you
- Announced ML.NET 0.1 Preview
- Cross-platform, open-source machine learning framework
- Can train and execute models
- Mature library - used internally by Microsoft for a decade in Bing, Office, and many other products
- .NET can now run natively in the browser with WebAssembly and Blazor
- General-purpose machine learning library
- Supports model training, regression, classification, many different learning algorithms
- "Framework-first" approach
- Will support and integrate with CNTK, TensorFlow, etc
- Iris classification tutorial
- Application Insights & Snapshot Debugger
- Great log querying features on Azure
- Can log and aggregate exceptions
- CorrelationId on HTTP Request
- Can be very useful for logging to determine exactly what events were logged for a specific HTTP request
- Snapshots will take a "snapshot" on your live application where you put a snappoint (similar to a breakpoint)
- You can then inspect this snapshot in VS, including variable inspection, locals, watches, etc
- Very much like debugging, but you can't continue to step through
- However, you can add multiple snappoints and inspect all of them
- All data preserved from that request
- Video recording
- Overview of 7.1, 7.2, 7.3
- Future features:
- Nullable reference types
- Recursive patterns
- Asynchronous streams
- Asynchronous
foreach
- Asynchronous disposable
- Default interface members
- Pattern matching switch syntax
- Records (maybe)
- "Hat" syntax
var last = myArray[myArray.Length - 1];
var last = myArray[^1];
- Range syntax
Span<T> range = myArray[1..3];
Span<T> wholeSpan = myArray[..];
Span<T> beginning = myArray[..5];
Span<T> end = myArray[5..];
- Azure has some built-in models e.g. image captioning
- For specialized machine learning processes, users can customize any pre-existing models to fit their needs
- For extra specialized needs, users can train their own models and export from Azure; use it anywhere with ONNX
- Can update models programmatically
- Cool demos of image captioning and disease diagnosis via x-ray
- Higher level of accuracy than trained radiologists
- My vote for most valuable session
- Settings -> Solution Explorer -> Properties -> Multiple Startup Projects
- F10 will begin debugging at first line instead of first breakpoint
- While debugging, right click -> Run to Cursor
- Alternatively, hover over desired line and click the green arrow
- How to debug
Foo(Bar(baz.DoThing().Save()))
?- Right click -> Step Into Specific
- Tracepoints
- Right click -> Breakpoint -> Insert Tracepoint
- Can be used to output data to debug console without changing your code
$FUNCTION
will resolve to the name of the current functions
- Evaluating expressions in Watch window can cause side-effects
- Use a format specifier
nse
- No Side Effects- Not mentioned in above link, probably outdated
- Locals window can break down each function return
" Hello World ".ToLower().ToUpper().Trim()
- Will show the results of the literal,
ToLower
,ToUpper
, andTrim
separately
- Use the
DebuggerDisplayAttribute
[DebuggerDisplay("{Title,nq}, id: {Id}")]
- More semantically correct than overriding
ToString
just for the debugger - Really useful for debugging collections
- Can right click on watch, "Make Object ID"
$1
returns the data even if out of scope$1
can then be used in conditional breakpoints to debug a specific instance
- C++ debugging
- Use
$err
to retrieve last error - Use format specifier
hr
to replace an error code (203) with the message ("Environment variable not found")
- Use
- Snapshots & snappoints
- Similar to dump, but it doesn't stop the whole process
- Under the hood, it forks the process and attaches it to a debugger to evaluate data
- VS Enterprise has IntelliTrace, can be enabled in the IntelliTrace options pane
- Step back button, basically a rewind (may only be available for snapshots)
- Exception window in diagnostic tool has value, can rewind to where exception was thrown (maybe only for snapshots as well)
- More interesting features on Diagnostic Tools -> Events window for determining where an exception was created, as opposed to where an exception was unhandled
- ASP.NET Core 2.1 has HTTPS on by default, even during development
- Installs a local, self-signed certificate
- Instead of adding
[ValidateAntiForgeryToken]
on every POST action, you can addAutoValidateAntiForgeryToken
as a filter inStartup
to ensure it is added at any non-idempotent endpoints - Header information, similar to observatory.mozilla.org
- Also recommended using securityheaders.io
- The VS 2017 15.7 update loads large solutions 4.5x faster than the previous version
- A SSD has a more dramatic effect than CPU or RAM on VS performance
- Hiding windows on startup makes startup faster
- Can return windows by selecting Windows -> Apply Window Layout
- Close documents when finished
- Closing solutions and reopening another is faster than closing all of VS just to open another solution
- Avoid rebuilding projects when nothing has changed
- This can be an issue when some files Build Action is set to Copy Always
- These should be carefully considered since they force a rebuild of that project
- Setting these to
PreserveNewest
will keep similar behavior but not force rebuilding
- Use globbing carefully
- Globbing pulls all files which match a pattern
- C:\Users\john**\web.config would pull all files named "web.config" in the C:\Users\john directory
- Can be powerful but is very slow to analyze all those files
- Debugging loads symbol files, which map source code with binaries
- Speed up debugging by loading fewer symbols
- Enable Just My Code which only loads symbols by projects in the current solution
- Try to prevent hindsight bias - "I knew it all along"
- Notes to take during a project to keep track of changes:
- "We started this week believing ____"
- "Here's what we learned: ____"
- "Here's how we're adjusting: ____"
- Avoid cognitive dissonance
- The uncomfortable feeling when we're trying to hold two contradicting ideas in our heads at once.
- We try to talk ourselves out of the controversy by creating excuses or imagining scenarios
- Scenario: poorly received application release after good internal reception
- "The customers just aren't ready for this yet"
- To resolve: set the more negative scenario to true, and handle the situation from there
- "Assume we didn't create the best app: now what do we do?"
- Great for meetings - tells a story and helps us to elaborate all scenarios
- Confirmation bias
- We look for evidence that "proves us right"; we avoid or ignore evidence that contradicts our beliefs
- "The customers just aren't tech savvy enough"
- "Are you worried that paying your bills online can go wrong?"
- "Don't you feel like writing checks is just easier?"
- These questions probe specific answers to confirm our bias
- To resolve: "Tell me about how you're currently doing ____..."
- "Walk me through how you're paying your bills today"
- More goes into processes than we think
- Bill pay example: users have to check their current balance, be aware of when their direct deposit hits, etc...
- Users would never elaborate on all this information. This is why it's important to have them narrate the process
- Getting customer feedback
- Give permission to complain
- Lots of people don't feel OK about complaining
- Some people are much more polite
- Make shy customers feel like they have a voice
- "If you had to change one thing..."
- "Which tasks do you put off doing?"
- "How have you done ____ differently in the past?"
- Give permission to complain
- Determining everyday problems
- Suppose you had a new coworker join your team - what advice would you give them?
- People love stories and sounding smart, this helps them elaborate without asking the question "what problems do you have with...?"
- Loss aversion
- We really hate losing what we have - we'd be more unhappy about losing $5 than we would be about gaining $5
- This is why it's hard to lose features
- Sometimes there is ownership: "that's my feature"
- Sometimes this is just about power
- Sometimes it's because the answer to the question "do you want this feature?" is always "yes!"
- Must weigh cost vs benefits
- Technical debt
- Wanting is free! Building, maintaining, and user frustration later is NOT free!
- Metaphor for washing machines: no one uses most of their washer settings
- Social desirability bias
- We edit what we say to make ourselves "look good"; we don't usually realize we're doing this.
- If the answer is 'yes' or 'no', one of those answers is usually socially preferable.
- So, don't ask yes/no questions!
- At best, you'll get a short answer and then ask follow-up questions
- Instead, "In the past month, when have you ____...?" "In the past month, tell me about a time you didn't have a good chance to do a code review."
- This is a much safer way to get more accurate and specific data
- When asking a question, you want them to remember instead of inventing
- Backfire effect
- Presenting rational evidence against our beliefs can make us reject it and believe even more strongly.
- Rational evidence vs feelings: feelings always win
- Sometimes this results in anger
- "You're right - and I'd love to understand how you're using their product, what it's allowing you to do..."
- This can be a lie! But, it lets their guard down and accommodates open communication
- Consumers have a low bar, so it's easy to do this and get "on their side"
- "Just to be sure I'm clear - if you had that already, how would it make your job/life easier?" - avoids the response that "It's just nice to have"
- "Since you don't have it today, what's your current workaround?" - might give some insights into a solution