A few years ago I become aware of the fact that it is truly amazing how long our Creator allows us to live.  So early in life we begin to rebel against Him.  These body's we are encased in wreak with depravity and are so far from their potential.  It is often hard to believe (but I certainly do) that we humans are made in the image and likeness of God.  It is so easy to see our failure, weakness, depression, and sorrow.

Today I want to publicly acknowledge my thankfulness to Jesus Christ for creating, sustaining and preserving my littlest girl Grace.  She turns 1 today.  We had an incident a couple months ago where she got a penny lodged in her throat and she could have easily died.  Her life was spared from that.  What is truly amazing though is not that God spares us from accidents, but that His Grace is sufficient to spare us from the incredible wrath we earned for ourselves by not trusting and following Him.

Thank you Jesus for your great love and the grace which you constantly pour out on us.  We do not deserve it!  I do not deserve it!

Typically Vue offers discount certification exams at TechEd so this year I decided to complete my MCSD.  I had been very lazy putting off the final 70-300 exam on solution architectures.  Now that I have taken it I know I had nothing to worry about.  Someone described it as a reading comprehension test and I concur.  There are a few questions you need to make technology decisions on.  You also need to understand what kinds of things would be on different types of design docs.  I had 3 scenerios and 30 questions.  I am glad to be finished with it.  Perhaps my next certification will be the Architecture route.  They are announcing that certification here at TechEd.

For anyone else considering certification I have great news.  First if you are at TechEd you can probably still take an exam for half price.  Second, if you fail you can retake an exam for free.  That offer comes from Microsoft and has been extended through the summer.  You do not have to be at TechEd for that one.

So, I have a new plan for Tech Ed this year.  I find that attending like 75 different session over the course of a week is more than I can even begin to absorb.  This year I will focus on Smart Client technology since it is not something I have spent much time looking at in the past.  ASP.NET is great, but I am tired of state management issues.  I want to do smart client applications.  I want to fully exploit serialization.  I want to cache a lot of data on the users machine, not the web server.  Expect to find me hanging around sessions with Tim Huckaby and Rocky Lhotka this year.

Oh, so the point of this post.  I was reading up on some blogs to prepare for the week.  I discovered a brilliant plan by the Microsoft RD's.  Instead of full 1 hour plus sessions they are doing something called Grok Talk.  These 10 minutes gigs are more like technology drive bys.  I look forward to catching a few of these between the fights over the good ice cream bars.  Don't worry Rory and Scott, I am saving the baby carrots for you.

You just can't have too many free food and drink events at these conferences.

Expo Hall Reception
Monday, June 6 6:00pm – 9:00pm Hall A/B

Microsoft Tech·Ed 2005 Attendee Party
Thursday, June 9 7:30pm – 11:00pm Universal Studios Orlando

I am sure some more open events will happen to fill in the gaps for Tuesday and Wednesday.  There are several private parties going on.  If you have not been invited to any then you need to become better friends with the people who hold the invitations.  I will let you figure out how it works on your own.

The first Tech Ed Party / Nerd Dinner is tomorrow night:  Join the Party with Palermo at the Pebody.

4PM - Arrival begins.  meet and greet.  Discuss conference sessions, etc.  Networking.
6PM - Geek Dinner.  I have reserved for 20, so I will need actual names for people to expect.
7:30PM - Drinks and conversation at the hotel bar.
Depart whenever.

After a long day on airplanes I have arrived in Orlando.  For those who have not left for Tech Ed yet here are a couple tips:

Pack an extra bag for hauling home all your shirts and other swag. 
Its rainy here.  Pack a rain jacket.
Look for me in then INETA community lounge.  I will be there Monday and Wednesday mornings as well as other times throughout the week.  Say hello!

Today I had a question from one of our developers about bridging ASP and ASP.NET applications and how to handle the security.  What I always recommend for all .NET web applications is that people use what is built-in.  Forms authentication works very well, already has security for things like authentication tickets, and it already handles checking authorization by just adding the <authorization> tag in web.config. 

Many ASP applications already have the concept of a userID and Roles.  In February I presented a session at VS Live that included some sample code that will easily address setting up forms authentication with roles for ASP.NET.  Lets jump right into it in a basic walk-through.

#1 Web.config settings.  These basic settings tell the framework that all unknown users should be redirected to the Logon.aspx page.  If the users are known (authenticated) then they can browse the other pages in the application.

<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name="myAuthCookie" timeout="60" path= "/"></forms>
</authentication>

#2 Logon.aspx.  We could have a username and password input form or any kind of input we want to use to validate the user.  Since I am talking about a solution here that makes it easy to share authentication between classic ASP and ASP.NET we will leave the ASPX page itself blank and handle the check in code.  My recommendation is that the ASP classic application would instead trust the .NET authentication.  For that you might simply set an extra cookie from .NET that the ASP classic could read.  It really depends on how your ASP application validates users.  You would simply want to have the ASP.NET code duplicate the current ASP mechanism so when the user hits ASP pages they do not know any difference.  In other words, the ASP code would still check for a specific cookie or something like that. 

#2a Logon.aspx.cs.  In the code behind the for the authentication page is where all the real work happens.  Lets look at it in detail for the given scenario.

private void Page_Load(object sender, System.EventArgs e)
{
string userID = "";

// Check the ASP classic authentication cookie array or whatever you use in ASP to know the user is logged in
if (!(Request.Cookies("MyApplication") == null))
{
// Assuming here if authenticated then we also have a userID
userID = Request.Cookies("MyApplication").Values.Get("userID")
}

if (userID == "")
{
// unknown user. Send them back to classic ASP login page
Response.Redirect("login.asp");
}
else
{
// We have a userID from the ASP application. Use it to create an authentication ticket
// Get a pipe delimited string of the groups (Roles) that the user belongs to.
// Typical ASP applications store a list of roles in a database table. Hard coded here for sample.
string groups = "Editors|Registered Users|Newsletters";

// Create a forms authentication ticket that we can stuff the userID and Roles into
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
userID,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false, groups);
// Encrypt the ticket.
String encryptedTicket = FormsAuthentication.Encrypt(authTicket);

// Stuff the ticket into a cookie
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);

// Return the user to the requested page now that an authentication ticket is created
Response.Redirect(FormsAuthentication.GetRedirectUrl(userID, false));
}
}

#3 Global.asax.cs.  This is where the magic of .NET forms authentication really happens.  If you are not stuffing the roles into the authentication ticket then much of this whole process can be greatly simplified.  Putting the Roles into the ticket will give us an easy way to apply them to the current user on each request.  Lets take a look.

I stumbled on Rick Laplante's blog entry today where he gives some details on how Microsoft is responding to customer feedback about Team System.  He links to a couple of important charts that will help us all make decisions about which versions to buy.  The other exciting piece of news is that each of the Team System role sku's will include a 5 developer license of Team Foundation Server.  That should help the small shops find it easy to get started with.

Compare Visual Studio 2005 Team System Software Editions

MSDN Subscriptions for Visual Studio 2005

This information simply must be propagated on the net.  I have been going back on forth with Creative support via Email and they have suggested the standard stuff, all of which I tried.  After I upgraded my Zen Micro to support subscription media via their latest firmware I ran into a serious problem.  My laptop would no longer recognize the device.  It showed up in device manager, but no software would acknowledge it.  I am so glad to have this solved.  I really did not want to play for format c: game on my machine to get this working.

So here is the fix that I finally discovered at: http://hardware.mcse.ms/message94329.html

1. Log in as an administrator (if you are not already logged in that way).

2. Go to Start, Run and type "regedit" (without the quotes).

3. When the registry editor starts, navigate to the following location in
the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum

4. Right-click the Enum hive and select Permissions.

5. In the permissions dialog, add the Everyone group.

6. Give the Everyone group Read access.

Close the registry editor and connect the Personal Media Center device.

Last Friday I decided to see how well the 30 day return policy at Best Buy would work.  I returned my Samsung MP3 player and they gladly exchanged it for whatever I wanted.  As previously mentioned I decided to go for the Creative Zen Micro since it supports subscription DRM services.  BestBuy.com has the player $10 cheaper than the store and they had no problem taking the extra $10 off during the trade in.  Best Buy gets a +1 for this!

Of course I could not wait to rip into my new device and give it a spin.  All was well until I did the latest flash upgrade.  This was required for it to support subscription music.  After the upgrade my laptop refused to see the device.  I assumed it was defective and returned it to Best Buy and got it replaced, again with no problems.  You can imagine how bummed I was when the 2nd Zen had the same problem as the first.  After searching the net for others with the same problem I found that I was not alone.  Since Creative Tech support is closed on weekends I decided to wait until today to call them.  I brought the device to the office to see if my work PC liked it.  Guess what, no problems.  Now I have an interesting dilemma.  My cool MP3 player will not work with my home PC.  Next thing is to rebuild the home PC and see if that takes care of the problem.  Forget calling Tech Support, at least for now.

Microsoft, Creative and other players in the subscription audio world are going to have to make this stuff work flawlessly or they may find MP3 players thrown through the Windows.  I don't mind being on the bleeding edge of technology, but when my very recent hardware and completely up to date software do not work together I am not a happy boy!

About 3 weeks ago I decided it was time to join the MP3 revolution.  I did some research and decided that I wanted to go with portability over extreme storage size.  Initially I thought I would go for a 60 Gig Zen Xtra.  iPod is absolutely not a consideration for me because I prefer WMA format and I don't want to load iTunes just so I can use it.  I ended up walking out of Best Buy with the Samsung YP-MT6Z (1 Gig).  I went to the store thinking that I would prefer the Creative Zen Micro because I wanted to store several albums at a time.  When I saw the size of the flash based devices I changed my mind.  The in stock Zen only came in black did not look appealing to me either.

The Samsung player has been fantastic.  I am still running on the battery that came with it in the box.  They claim 42 hours on a single AA battery and I am convinced that must be accurate.  My player still shows no sign of battery weakness.  I have loaded about 10 albums on it in addition to several hours of spoken audio.  I give a solid A-.  Read on to learn why I cannot rate it higher.

Yesterday I read that Yahoo had a new subscription music service.  I decided to give it a run because the price point was only $4.99 /mo.  I was excited to start downloading anything I wanted to listen to.  With a click I get almost any album I can imagine.  I am now convinced that CD based music as we currently know it is going to disappear in the near future.  I will go so far as to predict that even MP3 players as we know them today will change.  What I believe will happen is that we will end up with devices like car stereos and cell phones that have some flash memory for caching a short playlist.  That playlist will sync with a subscription service whenever the device can get connectivity to the Internet.  Wireless broadband technologies will enable this.  Devices will even allow you to request songs on demand, probably through a speech interface.

Now that I have tasted the beauty of subscription music on demand at an affordable price point I have a huge complaint about my WMA/MP3 Player.  It does not support DRM10 or whatever the standard is for enabling subscription content on portable devices.  The current list of devices supporting subscriptions is very short.  There are only 13 devices in the list.  None of them are high capacity flash devices.  Matter of fact none of them are flash devices at all except a cell phone.  My plan now is to see how far I can get with the 30 day return policy at Best Buy.  If they will take back the Samsung I am going to get the Zen Micro.  In my opinion the Micro is the best option for a portable device that supports subscription music and everything else I want in a player.  I hope that we don't have to wait long for the industry to catch up with DRM standards and devices.  At $5/mo. I will probably become a subscriber for life and never buy another CD again.  Instead I will outfit my home, vehicles, and my pocket for the Any Music, Any Time future!

I have been having a discussion with one of our developers about SSL.  He is updating some code and wanted to make sure that anyone who used the application would be doing so via SSL.  I believe the discussion will be valuable to many so I wanted to share some tips.

There are a couple of simple ways to guarantee that users are using SSL.

#1 In IIS you can set the application to require SSL so anyone trying to access it over HTTP will get an error.  I do not like this option for 2 reasons.  It requires extra IIS configuration to implement and I like to avoid throwing errors if possible.

#2 Applications can check for the use of SSL and force a redirect if it is not being used.  This is my preferred and recommended approach for all applications that involve sensitive data. 

Here is some simple VB.NET ASP.NET code that does the trick for option #2.

‘ Force users of this application to come in using SSL

If Not Request.IsSecureConnection Then Response.Redirect(Request.Url.ToString.Replace("http:", "https:"))

The biggest question this creates is how to handle the development and testing environments where SSL certificates may not be installed.  I have good news for you there.  Microsoft has a couple of tools for creating self-signed certificates that are prefect for development environments.  You can easily install a test certificate on your own development machines.

The IIS 6.0 Resource Kit includes a tool called SelfSSL that you can use to make certificates.  I prefer to use MakeCert.  I use it enough that I put together a simple Create_Cert.BAT file to make it even easier to use.  The file takes in the machine name as a parameter (%1%).  You can find documentation on the various options in MSDN.

makecert -r -pe -n "CN=%1%" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -nscp

• Copy the MakeCert.exe tool and create the Create_Cert.bat file on your machine.
• Open a Command Prompt window and change to the directory where you put the makecert.exe and the create_cert.bat files.
• Execute the create_cert.bat using the machine name of your PC as a parameter.  Typically we use LOCALHOST on our local machines. (ex. C:\tools\create_cert.bat localhost)
• In IIS you can now set the Default Web Site to use your test SSL certificate. 
  My Computer -> (right-click) Manage -> Services and Applications -> Internet Information Server -> (right-click)Default Web Site -> Properties -> Directory Security -> Server Certificate – Assign Existing.

I hope you agree with me that it is easy to develop and securely interact with customers over with SSL.  If you are looking for affordable SSL certificates for production servers you can now get them for as little as $29.95 at www.GoDaddy.com.

Last year Forbes ranked Boise #7 in the list of Best Metros for Business and Careers.  This year my home town hits #1!  As an employee of Idaho Commerce and Labor I know that Boise and Idaho are both doing well in large part because of the leadership in my own agency and within State government.  Pay a visit to Idaho this summer and see why so many of us love it here!

One feature of ASP.NET configuration files and the new configuration files for IIS 7.0 is an attribute known as configSource.  For the elements that support this you will have a few different options for dealing with configuration.  This value in this attribute can point to any file path that is lower in hierarchy, but may not be higher or on a different disk.

With this feature you can manage configuration sections in separate files.  Also, in IIS 7.0 you can include another attribute to flag the configuration not to cause an application restart when the configSource file changes.  Perhaps that will be in ASP.NET 2.0, but I have not discovered it yet.  By default it will cause a restart of the application just as web.config changes do.

22.April.2005 Update: I have changed my feature request concerning delegated administration.  I would like to be able to delegate that site and application owners both be able to create new applications within their physical folder hierarchy.  The creation of virtual directories can remain a server administrator function.

Today the focus of the IIS 7.0 DevLabs centered around new monitoring and diagnostics features as well as security.

Monitoring and Diagnostics apparently is an expansion of some new things that have been released with Windows 2003 Service Pack 1.  I was not aware of any new monitoring features in this service pack so I now have some new things to explore that I can use today!  I am told the best place to start to get a handle on the new features is the webcast: IIS 6.0 Service Pack 1 Tracing: Inside and Out.  In addition to this I imagine that some of the new performance and health monitoring features in ASP.NET 2.0 will also be merged in.  This area of IIS and ASP.NET development is something I have not spent much time, but it is certainly needed.  It has been far too difficult to troubleshoot IIS hosted applications.

IIS 7.0 is going to allow us to get information on the state of all running sites, application pools, worker processes, and application domains.  Additionally it looks like we will get programmatic control of starting and stopping some of these services at levels that are lower than the site.  The ability to drill into the currently executing requests through the Admin Tool and WMI is going to finally enable us to easily see which applications are hogging the CPU and memory.

The ASP.NET tracing model has made its way into IIS and both can actually be combined into a single log.  Essentially IIS becomes and ASP.NET trace listener if you want to configure it that way.  By merging the tracing we get a complete picture into the request/response cycle with all trace details in order and in context.  A fantastic feature that will be included with IIS is the ability to automatically log tracing details for failed requests.  For example, if the application does not respond, is too slow to respond, or responds with an error, the auto-tracing feature can take care of guranteeing that the trace details get recorded. There is an admin service that runs outside of the IIS server itself, so even if the application fails completely, trace data still gets written, which apparently is not the case with ASP.NET alone.  Modules participating in the IIS pipeline can be both providers and consumers of tracing output.  Administrators will appreciate the ease with which they can enable or disable tracing through the admin tool.

Security has been greatly enhanced as I have previously alluded to.  Today we dove deeper into some of the scenarios and looked at how to start with totally locked down server and slowly add functionality to it as needed.  This differs greatly for current defaults where most IIS functionality is enabled out of the box.  IIS 6 certainly improved on this over IIS 5, but the modular architecture of IIS 7 takes this idea to the extreme.  Limiting the installed modules reduces the attack surface and patch requirements to only those features that are installed.  For example, if you plan to only server static content you would not need to worry about attacks and patches for ASP or ASP.NET.

Wearing my site and server administrator hat I get very excited about the new security delegation features as I mentioned yesterday.  An additional and very helpful aspect of this includes the ability to delegate administration to non-Windows users.  That will be fantastic for hosting scenarios.  Delegation follows the standard hierarchy of site and application. Hmm, I wonder if non-Windows uses can be configured as server admins?  Comments IIS team?  Currently only server admins are able to create virtual directories and applications.  Personally I see this as a huge mistake.  As a consumer of hosting services I have to have the ability to create IIS applications within my hosting space so that I can run applications like dasBlog and others in a sub folder of my site.  If you agree then join me in asking for delegated administration of virtual directories and applications.  At the moment this is my 2nd biggest request for the IIS team.

Putting my ASP.NET developer hat (favorite) back on I'd like to buy Scott Guthrie at least a case of beer (or whatever his favorite beverage is) for merging the authentication an authorization of IIS and ASP.NET.  (Share it with the team doing the work!)  Finally the authentication options are all configured in only 1 place.  In addition I can just interact with the reuesting User in the context and not be concerned about how that user was authenticated.  Further we finally have a solution the problem of applications that want to first check for a Windows user and then fail over to forms authentication.  Today that scenario requires configuring a page to use Windows authentication in IIS and then handling a security exception and and it gets messier from there.

Good stuff abounds in the IIS 7.0 security picture:

• Impersonation has been improved so that is not so confusing about which account the application is running under.
• All authentication mechanisms can be applied to all content, including ASP.NET 2.0 membership authentication solutions.

Note to self: Research ADFS (Active Directory Federated Services) and how it may tie into a custom SSO solution.

URLScan and some of the other tools currently available to tighten security and assist with URL authorization have been replaced by, as one would imagine by now, powerful new configuration elements and of course corresponding modules.

• The features of URL Scan have been built in and enhanced.
• System policy can enforce authorization and serving rules.
• There are 12 new 404 error sub status codes to help determine the rules blocking access.
• Authorization is granular all the way down to the URL level.
• Rules can be deployed with the application as expected when using config files.
• File extensions can be restricted.
• Verbs can be restricted. (POST, GET, etc)
• Specific files and folders can be protected from being served. This can be accomplished with "hidden namespaces" or sequences.  Sequences are string patterns that allow you to block say all URI's that contain "bin" or something like that.  This enables easy blocking of specific patterns that may exploit vulnerabilities as they come up.

Tomorrow the DevLab will wrap up and I will head home.  Stay tuned for the final post in the series.

20.April.2005 Update:  IIS PM Shai Kariv informed me that the managed configuration API will allow for interaction against remote machines on the network.  Previously I had stated that only WMI made this possible programmatically.  Of course this is disabled by default.  To enable it run aspnet_regiis -config+ on the remote machine to enable remote access to configuration.

Today the fact that IIS 7 centers around configuration files was driven home.  We had opportunity to learn about and experiment with the new IIS Admin tool and the WMI scripting interfaces.  By the end of the day I was asking questions about the different features each of the administrative tools provides.  I still have much to learn, but I do have a bit to begin thinking over.  Here are the highlights.

IIS Admin Tool has been completely redesigned and architected.  At this point the classic tree view we are used to does not even exist.  I and others are asking that it be brought back for rapid navigation of servers, sites and applications.  There is a strong move in the tool toward specific administration roles.  For those that focus on a specific area in the configuration hierarchy you will find that the tool nicely limits your interaction with the server to appropriate areas.  To further enhance this limited administration there is a new delegated security model.  This is probably my favorite new feature of the tool.  My second favorite feature is the ability to administer sites remotely over the Internet.  Of course it can use SSL to keep the data secure and also requires credentials to administer a remote machine.  I think the combination of delegated security and remote administration will make this tool popular for hosters and very helpful for application developers as well.  Developers are simply going to love IIS 7 because they finally will have the ability to configure the setting they need without having to request them from an administrator.  Admins, don't worry, developers will not have more access than they should not.

A few more take aways on the IIS Admin Tool:

• It is fully extensible.  Microsoft uses the public extensibility scheme themselves for the tools they have built in.
• New or updated modules are synced up with the admin tool when it connects to the server.
• Creating new modules for your custom configuration sections is relatively painless.  I imagine it will get even better be the time we see the first beta.

WMI and Scripting have been enhanced.  The WMI programming model has been cleaned up to make it easier to use and consistent between the different objects that are exposed for IIS.  Having never worked with WMI I discovered a whole world of automation that I have been missing out on.  I look forward to working more with WMI now and into the future with IIS 7.0.  WMI turns out to be the only programmable interface that works against remote servers on a network.  The .NET managed APIs for configuration are great against a local machine, but only WMI will let you hit a remote machine from code.  I asked around and learned that WMI uses traditional COM and DCOM to remote the calls to the remote machines.  Apparently both WMI and the GUI Admin Tool ultimately use the .NET configuration API to get their work done.

Some additional new features offered up through WMI include:

• Enumeration of Application Domains and Worker Processes
• Access to custom configuration sections (using new tools to automatically update the required MOF)

At the end of the day I had opportunity to continue on my soap box with the request to de-couple IIS from the operating system.  This time I made the request to Scott Guthrie.  I told him that I am going to keep requesting it right on up to Steve Balmer.  I suppose I could take it Bill Gates, but I probably should reserve any requests to Bill for things of slightly more importance.  Not that I will ever have an audience with Steve or Bill (notice the first name basis I ave with people I don't know), but it is fun to talk about.  Please join in this request if you also would like to see IIS removed from the Operating System beginning with IIS 7.0.  Perhaps if we make enough noise about we can get the right people to respond.  Anyone want to start a new site for the De-coupling campaign?  Perhaps something like decoupleiis.com (it's available at the moment).

Speaking of new domains, I registered IISSeven.com last night.  I plan to dump information about IIS 7.0 there.  To begin with I will aggregate my IIS 7.0 blog category and start linking to IIS team member blogs as well.  I guess I had better do some work tomorrow getting those team blog URL's.

For those of you who are following the back ported Membership API I have some news.  Tonight I had opportunity to visit with Scott Guthrie and I asked him when we might see the download return.  He indicated that it was likely not to return.  Currently DotNetNuke and Community Server are both licensed to use it.  Others can request it and will likely be granted license, but the issues around supporting it are apparently causing Microsoft to hold back on releasing it openly.  For those wanting to check it out you probably should plan on following the steps I outlined when it first appeared.  I will leave the latest changes in implementation to you for now.  Those who really want it will need to find a way to request it from the ASP.NET team.

Scott Guthrie, here is a thought.  Perhaps you could give it to a 3rd party like myself or someone else who could maintain it in an open source model.  That would free Microsoft from supporting it and still allow the community to begin writing against it to prepare for .NET 2.0 and gain its advantages today.  I would be happy to rebuild it under a new namespace to remove Microsoft from responsibility for support and updates.

A couple other news items from Scott.  Sharepoint 2006 or whatever the next version is called will support forms authentication for Internet sites.  He has updated his VirtualPathProvider sample code for Beta 2 of VS 2005.  See the download for the March 20, 2005 talk from VS Connections in Orlando.

I just got notice that the Boise Idaho chapter of ISSA will be holding the 3rd Annual Information Security Conference May 4th and 5th.  There is no cost and the quality of the speakers is top notch.  Where else can you hear this lineup and get a free lunch to boot!  I have attended this conference in the past and I believe it is well worth the time.

Howard Schmidt,
Vice President and CISO, eBay

Enterprise Security Incident Management - Can we run any faster?
The volume, severity and frequency of IT security incidents has increased dramatically in the past few years resulting in increasing risk to enterprises. Traditional incident response programs are failing to keep up. Effective proactive and reactive programs must be established to manage these threats. This session will outline steps taken by one organization to develop a comprehensive incident management program and bring order where there was chaos.

Peter Coffee,
Technology Editor, eWeek

State of Technology
Peter Coffee, Technology Editor of the national enterprise newsweekly, eWEEK, has twenty years' experience in evaluating leading-edge information technologies and practices. In addition to writing product reviews, technical analyses and his weekly Port Scans column on IT issues and practices, Peter has appeared on CBS, NBC, CNN, Fox, and PBS TV newscasts addressing system and network security, the Microsoft antitrust case, and other eBusiness issues. He chaired the four-day Web Security Summit conference in Boston during the summer of 2000, and has been a keynote speaker or moderator at technical conferences throughout the U.S. and in England.

Sherry Ryan,
CISO, HP

Getting Governance Right - Aligning IT Security with the Business
Hewlett-Packard has developed organizational linkages and established a number of practices designed to engage HP's business units with IT Security governance and implementation. This session outlines the key elements of these practices and covers the challenges associated a broad approach to integrate security into business processes.

Dave Cullinane,
CISO, Washington Mutual

Secure Application Development - Where do you start?
Security assurance in software development environments requires building security in from the start. This session will describe the approach taken by one company to embed security throughout the lifecycle including lessons learned and cover tools and techniques for enabling and empowering developers.

John Wylder,
Strategic Security Advisor, Microsoft

TBA
TBA

Ira Winkler,
CISSP, CISM is President of the Internet Security Advisors Group

TBA
TBA