Hardware Security Modules (HSMs)

4 min read A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. Hardware security modules are physical devices with auditing and encryption capabilities and are used to protect sensitive information such as encryption keys, as well as for their performance in encrypting/decrypting information. Once you load an encryption key into it, it can only be accessed/used…

MSSQL Shrink / Truncate transaction log

2 min read SQL Transaction logs allow you to restore a database to a specific point in time, and is a great option for a production database, but these logs must be backed up frequently enough to prevent them from filing up. However, you need to back up the transaction log itself, not just the database, if you want to use the Full or Bulk Logged recovery models. This article describes the right way to set this up: https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/back-up-a-transaction-log-sql-server?view=sql-server-2017 

If you’ve already taken a full backup of your database, and find yourself in a crunch out of space, the following is a quick way of clearing the transaction log to recover space:

Log into Microsoft SQL Server Management Studio…

Representing State Machine Capabilities using neo4j / graph databases

10 min read

Building the graph

The first challenge we have is representing the capabilities of the system in a logical way. We can get a list of all the possible general classes of states, and represent inheritance for them, which will come in handy later.

var derivedTypes = ReflectionHelpers.FindAllDerivedTypes<ProcessableState>();
foreach (var type in derivedTypes)
    graphClient.Cypher
        .Create("(statetype:StateType {newState})")
        .WithParam("newState", new { type.Name })
        .ExecuteWithoutResults();

this is done with a simple extension class

public class ReflectionHelpers
{
    public static List<Type> FindAllDerivedTypes<T>()
    {
        return FindAllDerivedTypes<T>(Assembly.GetAssembly(typeof(T)));

Installing and configuring SonarQube with Azure DevOps/TFS

8 min read Our team follows a process adapted from Microsoft’s Release Flow [see: https://blogs.msdn.microsoft.com/devops/2018/04/19/release-flow-how-we-do-branching-on-the-vsts-team/], in which we create a branch off develop (our long-running mostly-stable product), do our work, commit it (with the PBI/Bug number in a comment), push the branch, then go into TFS and create a pull request. TFS will suggest a shortcut link to create a PR for the branch you just pushed to your default branch (in our case develop); or you can click the New pull request button and choose your source and target branches.


Application Lifecycle Management / World-Class DevOps

9 min read

Development process

Scrum team, planning work in 2 week increments, reacting fast to change, following best practices in research, planning, architecture and writing software. The team’s focus is on building great software, so we want them focused on what’s important.

  • As a developer, I take on a new feature or bug that’s in the sprint and ready for development, and marks it as development in progress.
  • Then I create a new branch off of develop, and do the work.
  • Then commit one or more times, and mention #[Work Item Number] in the commit message, along with a description of what changed
  • Once I consider the work complete and “tested” locally on my computer, I’ll push the branch, go into TFS and click the shortcut to create a PR

* develop is locked, so all changes have to enter via Pull Requests
  • On the next page I’ll make sure everything looks good, by doing one more check of the changes in the code, and click Create
  • Done and move on to greater things …

Exporting and Importing Visual Studio and Resharper Settings

4 min read Whenever I get a new computer, or reinstall Windows and such, I realize and remember that I again have to adjust all the settings to just the way I like them, and usually don’t have time for it. This consists of keyboard shortcuts for the most part on a new setup, but I’m  also a big fan of some Resharper features. Resharper can really slow down Visual Studio with defaults, because they enable a lot of features, which although cool and useful, aren’t worth the performance trade-off for me. I…

Code Quality using SonarQube

4 min read Code quality, best practices and standards are often the distinction between projects that are maintainable, secure and scale well, and projects that need to be rewritten every year. We were in the latter category unfortunately for quite a long time, despite everyone preaching best practices and within a group of quite smart individuals. The problem is we all had our own idea of what best practices to apply, what standards to follow and how we defined quality. We had to find a way to track and improve, then we discovered SonarQube.

SonarQube is a static code analysis tool.

It uses language-specific analyzers and rules to scan code for mistakes, some patterns that are known to introduce security vulnerabilities, and code smells [According to Wikipedia and Robert C. Martin “Code smell, also known as bad smell, in computer programming code, refers to any symptom in the source code of a program that possibly indicates a deeper problem.] …

Testing concepts

7 min read

Unit Testing

Unit tests are automated procedures that verify whether an isolated piece of code behaves as expected in response to a specific input. Unit tests are usually created by developers and are typically written against public methods and interfaces. Each unit test should focus on testing a single aspect of the code under test; therefore, it should generally not contain any branching logic. In test-driven development scenarios, developers create unit tests before they code a particular method. The developer can run the unit tests repeatedly as they add code to the method. The developer’s task is complete when their code passes all of its unit tests.

A unit test isolates the code under test from all external dependencies, such as external APIs, systems, and services. There are various patterns and tools you can use to ensure that your classes and methods can be isolated in this way—these are discussed later in this section…

Debugging on localhost with HSTS

2 min read

What is the function of HSTS

HSTS stands for HTTP Strict Transport Security and it tells your browser that your web content should always be served over HTTPS. See Security Headers for more info

Adding a signed localhost certificate to the Trusted Root Certification Authorities store

Newer versions of chrome require the server’s cert must contain a “subjectAltName” otherwise known as a SAN certificate. If you are using an older signed certificate which only references a commonName, then you might still get rejected by Chrome even if you’re certificate is valid.

Securing a new web server

< 1 min read Ideally you already have a snapshot you maintain and have hardened, and just have to clone it when you need new servers deployed. If you have to build a clean image to use for your future VMs:
it’s usually easier to start with an existing VM you’ve configured, because it already has everything you need installed, but it might also have other stuff installed that you don’t necessarily want on every new VM, so here’s a way I quickly set up a new server image:

1. Install a clean version of Windows on a new VM

2. Set up your networking stack, and run Windows Update and install all the updates available…