Sébastien Jousse

The #1 mistake I see .NET developers make is using NULL everywhere. But that's a billion-dollar mistake. NULL reference has caused loads of errors, vulnerabilities, and system crashes. Here are 4 ways you can minimize NULL in C# code: 💰 Return empty value from the method - if possible, return an empty list instead of null - for example, use Enumerable.Empty<TResult> 💰 Eliminate nulls with C# nullable reference types - introduced in C# 8.0 - it forces you to use null more carefully 💰 Use the Null Object pattern - this is an object that defines a "do nothing" behavior - can eliminate null checks 💰 Use the NullConditional operator - allows you to safely access a class property - when the instance is null, the whole assignment will return null Want to reduce crashes? Give the above suggestions a shot.

The hidden cost of enterprise .NET architecture: Debugging hell. I've spent 13+ years in .NET codebases, and I keep seeing the same pattern: Teams build fortress-level abstractions for problems they don't have. IUserService calls IUserRepository. IUserRepository wraps IUserDataAccess. IUserDataAccess calls IUserQueryBuilder. IUserQueryBuilder finally hits the database. To change one validation rule, you step through 5 layers. To fix a bug, you open 7 files. The justification is always the same: "What if we need to swap out Entity Framework?" "What if we switch databases?" "What if we need multiple implementations?" What if this, what if that. The reality: Those "what ifs" don't come to life in 99% of cases. I've seen exactly zero projects swap their ORM. But I've seen dozens of developers waste hours navigating abstraction mazes. New developers are confused about where to put a new piece of functionality. Senior developers are debugging through the code that has more layers than a wedding cake. The end result? You spend more time navigating than building. Look, good abstractions hide complexity. Bad abstractions create it. Most enterprise .NET apps have way too much of the second kind.

Please share this far and wide. As far and wide as you can. NIST Password Guidelines for 2024 are in the process of being updated. This is a HUGE pet-peeve of mine (when vendors in particular are still operating like its 2017 and keep changing passwords every 60 days, STOP DOING THIS, it's outdated and has been shown to put you MORE at risk than less -- NIST explains why it does in this document, meticulously outlining user behavior**) so I'm sharing this in the hopes all of you will pass it along to your bosses. The Special Publication series governing passwords is SP 800-63 "Digital Identity Guidelines". The 2024 version is 800-63-4. Here: https://t.co/oX8YEJHxXg The companion docs are also on that link. They are 800-63A, 800-63B and 800-63C. These are different documents for different scenarios in play at your org. The previous update was in2020. The changes in the 2020 version from the 2017 version were numerous but one of them was that the password verification method should NO LONGER require passwords be changed at specific intervals (i.e. every 60 days) but in the following circumstances instead: 1. After a breach/compromise 2. User request 2024 repeats this and adds a bunch more guidlines but here is a screenshot of page 13 of the new 800-63-4 (note the # 4 after it) which outlines how your systems should now and moving forward, be handling passwords. This goes for Active Directory, too. All your systems which have passwords should align with these guidelines provided there isn't another standard or framework you must adhere to which overrules this. Most frameworks, however, have moved away from arbitrary password resets and complexity rules. **We cybersec researchers and hackers use wordlists from breaches in a variety of different ways. Hackers use them in tooling to crack passwords whereas researchers use breach dumps to see the kinds of passwords users are creating and the psychology behind them. Using complexity rules gets you the user psychology of: Password1 Password2 and so on Use phrasing instead and allow for spaces, which is important. Humans type phrases with spaces. They also mention phish-resistant methods and most vendors are on-board with MS going to be turning off all Legacy Auth next month, across all free accounts and tenancies. I'm so excited for the new changes! Ok I'm off my soapbox. Share the love! Thank you!