Getting working technology in place took no time at all. Getting it to a marketable solution.... that was an entirely different thing. Since my past post in October here is what has happened:

• We had to write the Installation Guide
  
• We had to build the production ISO
  
• We did a round of beta testing with trusted sites
  
• We did another round of testing to more open public sites
  
• We did another round of testing with some Microsoft MVPs
  
• We rewrote the docs after getting results from the test sites
  
• We had to fix some implementation problems relating to IAS + ISA
  
• We had to build a Token Inventory Control System
  
• We had to build a Token Fullfilment and Shipping System
  
• We had to get authorization from the Department of Homeland Security to ship to the US. Long story.... paperwork nightmare which in the end... we DIDN'T have to do.
  
• We had to build an online store, integrate it with our CRM, Inventory Control System and Token Fullfilment System
  
• We had to work with Cryptocard to handle token fullfillment
  
• We went to launch, and realized we were now in the holiday season. Delayed launch until the New Year.
  
• We had to launch the product
  
• We had to take our first order
  

That took months to do. But as of January, we were shipping our strong authentication solution around the world. A few user groups have had demos and I hear people are even talking about it down under at a few Microsoft user groups in Australia [Hi Wayne! :) ]

It's taken quite a bit of time to make a "product" a sellable "solution". Almost half a year in fact. Well, if you discount the holiday season, the DHS delay and the delay in receiving our first shipment of tokens it was really closer to four months. Not too bad. But longer than many people would have expected.

So whats next?

• We are releasing a bunch of new agents later this spring to round our our offerings
  
• We will be announcing some interesting partnerships in the coming months to deliver our solution in interesting ways
  
• Version 2 will come out with a whole bunch of updates, including Active Directory integration
  
• The sales team is being expanded to help grow our sales
  
• I'm going to be going on a tour in May to promote the product. Although not in stone, sounds like I am going to New York, Chicago, San Fransico, Los Angeles and New Orlean.
  
• Lots of other stuff I can't talk about right now.
  

Busy, busy, busy.

If you are a developer and like what you see, I'm pleased. But I would be MORE pleased if you thought about integrating two-factor authentication into your own applications. How? I have an easy solution. Why not partner with us and use our web services interface to immediately add strong authentication to your product? Not into web services? No problem... we have a traditional COM interface as well that you can use. It literally only takes 5 lines of code to integrate strong authentication to your application when using ours. And we have already built the inventory and fullfilment systems to handle those bits for you. What could be simpler?

Interested? Then send an email to dana@scorpionsoft.com and start a conversation to explore the opportunity!

One problem that I quickly came across stumped out progress, and pretty bad. Our web service is written in a manner that uses a multi-threaded apartment model (MTA). That makes sense since we could have hundreds of concurrent authentication requests (especially first thing in the morning when everyone is logging in). However the COM object was written in a single-threaded apartment model (STA). Not a major problem for simple applications as you can use the [STAThread] directive to make the app work single threaded, our use ASP.NETs model that can STA itself. Big problem in a web service, where you CAN'T do that. And even though there is a work around presented in MSDN Magazine, it would mean I would be loading the COM library for each thread...which could easily get to 500MB to a GIG of memory usage when an organization first logs in at 9 in the morning.

So, I went to CryptoCard and expressed my performance problem with the COM object. And then did an AWESOME job address my problem. They rewrote their COM library to support MTA, and did it in just a few days! Thanks guys.

So now, instead of taking 500 MB of memory during a major load for authentication, it is taking around 5 to 10 MB. Talk about sweet! And now, this web service can really scale. With TestComplete's load testing and performance profiling, I can really put it through its paces. And Anvil keeps going strong. Man I love it when a plan comes together. :)

It was great fun. And just before my presentation a colleague of mine from the US's Department of Justice sent me an interesting paper on the "Analysis of Department of Justice Prosecutions 1999-2006", which I used in my presentation to further define the problem of static reusable passwords. Some interesting real world statistics on what they are seeing during their prosecutions:

• Most crimes, 84 percent, could have been prevented if the identity of the users connecting were checked in addition to user IDs and passwords
  
• Losses from stolen IDs and passwords far exceeded damages from worms, viruses, and other attack methods not utilizing logon accounts
  
• Vast majority of attackers, 78 percent, committed crimes from their home computers; most often using unsanctioned computers with no relationship to the penetrated organization
  

Never been a better time for the release of Anvil this fall.

Of course, lots of interest in RWW-Guard and Anvil. Some interesting deployments have already been identified, like using Anvil + RWW-Guard to provide better control of employee access to remote SBS servers in a managed environment. Imagine... if you are managing 25 SBS boxes and an employee leaves, it will typically take you 12-25 HOURS to reconfigure each server's administrative credentials. Not just the password... but all the service passwords as well. With RWW-Guard and Anvil... you simply revoke the employees token, removing his ability to log into the remote servers at all. Some guys are managing upwards to 50 to 200 servers, and this can literally save thousands of dollars in maintenance costs.

Apparently there is some voting going on, and I am in the running to repeat the session on Sunday. If you didn't get a chance to catch the presentation and you are on the Microsoft campus, you might be able to catch it tomorrow! We'll see how it goes.

Over all, I am quite happy with the progress. We have a working strong authentication server (SAS) that properly authenticates against CryptoCard KT hardware tokens. That was my vision at the beginning of last month... and that is the reality now.

So what next? Well, there is still a lot to be done before its ready for sale. It will have to go through some major testing. The product needs to become a solution, which will include documentation, an installer, a website, marketing materials etc. And I still have a company to run with other products, so much of my focus will need to be there. RWW-Guard is in its final beta stages as we prepare to start selling it, and the first few weeks of September will be focused on that, while Anvil gets shelved a bit. We will of course continue to dog food Anvil and use it in house... but it won't be until next month that we start installing it on external networks.

I will continue to blog the progress here... but it may be a bit infrequent compared to the amount of blogging I did in August. As we move forward in readying the product for commercial release, I will be sure to invite you to join me as we take it to release.

Thanks for tracking my progress. I do hope I was able to share in my experience over the month. I wish you the best in your own software development!

Anvil One Month Later Screencast [Flash ~3.5MB]

It's a simple test to measure how well a software team performs. It takes less than 3 minutes to complete, because its a simple yes/no answer test to twelve questions:

1. Do you use source control?
   
2. Can you make a build in one step?
   
3. Do you make daily builds?
   
4. Do you have a bug database?
   
5. Do you fix bugs before writing new code?
   
6. Do you have an up-to-date schedule?
   
7. Do you have a spec?
   
8. Do programmers have quiet working conditions?
   
9. Do you use the best tools money can buy?
   
10. Do you have testers?
    
11. Do new candidates write code during their interview?
    
12. Do you do hallway usability testing?
    

So for fun, I thought I would take the test.

Do you use source control?

Yes. Anvil's source code is maintained in a Subversion source code repository. Some of my previous posts included screencasts where you see Subversion in action (indrectly).

Can you make a build in one step?

Yes. We use Automated Build Studio. I blogged about that earlier today.

Do you make daily builds?

Yes. See above.

Do you have a bug database?

Yes. We use FogBugz. I blogged about how we track defects earlier this month.

Do you fix bugs before writing new code?

Yes. Although everything is new code right now. :)

Do you have an up-to-date schedule?

Yes. I use a mindmap to track requirements and project plans. I blogged a bit about how I use mindmapping for project planning.

Do you have a spec?

Yes. Sort of. Although we don't use spec docs like Joel defines it, I screencasted how we use functionality mindmaps , technology mindmaps and threat models.

Do programmers have quiet working conditions?

Yep. I telecommute quite a bit myself and use a lot of quiet space in my home, including a full home office. Most of Anvil was written on my back deck this summer, while I listened to the rustling leaves of the huge trees in my backyard in British Columbia, Canada.

Do you use the best tools money can buy?

Yes, I believe so. There is a list on the right side of this blog.

Do you have testers?

Yes. And we use automated functionality testing with the use of TestComplete.

Do new candidates write code during their interview?

Yes. Although I didn't hire anyone for this project yet. Remember... it was supposed to be just me.

Do you do hallway usability testing?

Yes. Although to be honest I don't pick people out of the hall. Two days ago I had the gardener try the Anvil Manager. Yesterday I had my wife try it. Today it was a potential customer. I will have a few more people check it out before I ship a public beta.

So there you have it. Looks like I pass the Joel Test with an A+. If you work with software in your business, take the test yourself and see how you do. And make sure you read Joel's article on the subject.

In the current state of software development, with projects becoming more and more complex, building, testing and releasing of software projects consumes an ever-increasing amount of time and resources.

Amen. That quote comes directly from AutomatedQA. They are the makers of Automated Build Studio (ABS), the tool that I used to create an automated build environment for Anvil.

I routinely get asked how we can manage the deployment of our software so effectively. With such a small company, people are surprised when they here that we automate a LOT of the daily tasks that are needed in building software, replacing the need for warm bodies that are typically used in software companies. These days I believe I have eliminated the need for a few employee positions with the use of automation. And that directly benefits the bottom line, since human resources is one of the biggest costs in a software company.

With the main pieces of technology now built for Anvil, I wanted to create an automated build environment so that during the beta I can consistently and constantly have daily builds available to my testers. So I decided to record a screencast introducing how I used ABS for Anvil, and how easy it is to set up.

Anvil Automated Builds Screencast [Flash ~21MB]

I can also now automate the manufacturing of tokens for distribution. Not a really important piece right now, but a piece I will need once commercialization is ready to go. Since these tokens have barcodes on the back, I think I will write a barcode scanning app that can read the serial, initialize the tokens, create the AES keys, set the seed and generate the first challenge all with a single scan of the barcode.

Fun stuff. But stuff that can wait until the beta ships.

Seems installing IAS on a server with ISA where a DC is involved causes extension DLLs to not load thanks to an authentication DLL from ISA. *ugh*. Get all that? IAS and ISA are different products. One's a RADIUS server, and one's a firewall. And they aren't playing nice together.

Not quite sure how I can programmatically handle this. For version one, I will just document this in the installation guide for the IAS installation. On top of that, ISA installs a "Connection Policy" into the IAS server which has to be modified so my extension DLL can work properly. Good news is, I now have a working IAS DLL. Bad news is, its a week and a half late. *sigh*. And I still have to rewire it to communicate with the Anvil Web Service I got working last week.

Good news is, the major hurdles are now all overcome. The next few days will be a bit easier, even though I can see we are already a week and a bit behind. Then again, writing a RADIUS extension is pretty much its own product. Guess I shouldn't be complaining. I wonder if that entitles me to an extra 30 days of development :)

Ya, I didn't think so either.

I wanted to share in the experience with my readers, and recorded the first officially working authentication request and response to the Anvil Web Service in a screencast. Watch it to see how easy it is to send a SOAP request or HTTP post to communicate with the strong authentication server. Thats right... only a few lines of code are needed to consume the web service and offer strong authentication in pretty much anything... from PHP and Ruby on Rails to Perl and ASP.NET.

If the demo feels a bit slow, thats because it's in debug mode, on a slow TabletPC with tonnes of tracing turned on while Camtasia records everything. Even still, the responses come in pretty fast considering all the crypto behind the scenes.

You may notice the response is a simple XML message with a boolean. You may be asking yourself how come there is no detailed response on a failure. The details ARE in the audit log... but I chose NOT to disclose the reason for the failure against the request. During threat modeling I decided that was too much information disclosure that a potential attacker could use against the server. If a valid user truly is having troubles (which I believe will be rare), they will have the ability to resync their tokens and reset their PINs in a future release. I decided not to pursue those features for version 1 of Anvil.

I am really happy with this piece falling into place before the week ended. I expected this would be the most difficult piece of the puzzle, and with it out of the way I can now focus back on the IAS issues that Microsoft PSS is still working on.

Have a great weekend! I know I intend to.

Anvil Web Service Screencast [Flash ~9MB]

Microsoft PSS still doesn't have a solution for me. I am disappointed to see that the support guys aren't using virtualization for testing purposes. The engineer assigned to my case actually contacted me and said it may be a few days (and up to next week) as he has to build an SBS environment. WHAT?? I would think there is a working VPC image for every product they have. It should take no time at all to bring up an image to work with. Guess they aren't dogfooding their own VPC stuff for this kind of thing. Thats really to bad.

The AuthEngine stuff has also had some of its own challenges. The guys at CryptoCard have been working well with me to get this stuff working in .NET. They have written a new COM object that I can use so I don't have to PInvoke the C library. Problem is, they still have to document it and provide some tests, which means its been a bit hit and miss for me as I try to learn this stuff. On the flip side, I have rather enjoyed working with the guys over at CryptoCard as every time I come across something I don't understand, they are able to fill in the blanks for me with very little effort. Typically with internal documentation they have in hand from others who have come across these challenges.

So right now I am waiting for both Microsoft and CryptoCard to get back to me on some stuff. In the meantime, I am mindmapping the workflow process I expect to use for the deployment and enrollment of tokens to users when in the field. While talking with Cryptocard they have offered some interesting advice on what sort of difficulties they have seen in the field, and I am leveraging that information to make Anvil more user friendly... while meeting compliance needs of different market verticals.

Hopefully tomorrow will come with some solutions to these challenges so I can make some serious progress. This week has been killing my schedule.

So today I got an email from someone who challenged my post on using regular expressions for data validation on the PIN field in the Users table. His position isn't about the regex itself (which he liked), but the fact I was storing the PIN in the first place.

And he is right. I didn't really go into detail in that post, but I never designed the final Anvil database structure to actually store the PIN. This was actually one of the things exposed during the threat modeling process. There is no reason an administrator should ever know a user's PIN. So why let them see it? Why even store it? In Anvil, the PIN is not actually stored. A 32 byte MD5 hash is actually stored in the database, and a regex of ^[abcdef0-9]{32}$ is used as the data filter.

I am pleased that someone actually noticed this and pointed it out. It's a great lesson on why we shouldn't store secrets if we don't need to. The Token Validation Web Service takes the PIN inputed by the user, hashes it, and compares that hash to what is in the database. If it matches, then we have a valid PIN. No need to expose the PIN directly in the database.

While waiting for Microsoft PSS to get back to me on the IAS issue I am having, I am spending time working through the new AuthEngine COM object CryptoCard have designed to use with .NET. I should be able to add that to the web service in the next few days. Once that snaps in, a lot of things will fall into place.

Lets hope I can get the RADIUS side worked out with IAS soon.

Running "depends.exe" quickly showed that the runtime was missing. So I copied the latest Platform SDK SetEnv.cmd script and altered it to force it to pick up the VS2003 C compiler. Voila. Now that side of things is working properly.

Of course, IAS still won't load the bloody DLL. *sigh*

Back in Microsoft's hands. Hopefully they will be able to figure it out tomorrow and give me a call.

Meanwhile, for two hours I listened to 70s disco music, peppered with some country and weird early 80s music. I guess I shouldn't complain... as it could have been some Bollywood tunes that I wouldn't have quite understood.

All I want to do is load an extension DLL in IAS on SBS. Why is this so hard. *sigh*

Well, off to do some work on the web service while I wait.

I did complete the code for the IAS extension framework though. That was a lot of good progress. I plan to ship a RADIUS test DLL for RWW-Guard later this week, once I get this deployment issue worked out. And thats an extra benefit for my RWW-Guard users during testing.

So whats next? It's not worth the expense to spend the next day or two trying to figure out this problem. Valuing my time, I will call Microsoft PSS and spend the money to get them to tell me why the heck IAS on SBS acts this way. Even using the default samples in the SDK seem to fail on SBS. No idea why. Hopefully they can help me figure it out so I can get back on track.

Whenever you use input from an untrusted source, it needs to be validated. Especially if it comes from or can be accessed by the user. The best way to handle this is to put an input sentry at any trust boundary, as it crosses from an untrusted to trusted border. Ultimately, the last line of defense will be the database, as that is where the final storage ends up... at least for our application.

You can easily apply CHECK constraints on fields in the database. But that is a very rudimentary method of validating the input, since you can typically only do basic checks.

Enter the fact that in SQL Server 2005, you can now enable CLR in the database, and write user-based functions in your favorite .NET language. And more importantly, you can CALL these functions AS constraints on fields in the database.

This is really impressive stuff. In my case, I wrote a generic regular expression validation function that allows me to do the deepest of validation checks on the data before its inserted. If the data fails the regex validation, the record will not be committed.

I decided to screencast the authoring of this powerful regular expression validation method. Feel free to use it yourself on your SQL Server 2005 databases.

And remember... always assume that input is malicious until proven to be safe.

Anvil SQL Server Data Validation Screencast [Flash ~14MB]