Skip to main content

Posts

Understanding AsNoTrackingWithIdentityResolution in Entity Framework Core

When working with Entity Framework Core, understanding change tracking behavior is crucial for both performance and data consistency. While I was ware of the AsNoTracking() method, I discovered a lesser-known but powerful alternative: AsNoTrackingWithIdentityResolution() during a code review.  Let's explore what makes this method special and when you should use it. Quick recap: What is AsNoTracking()? Before diving into AsNoTrackingWithIdentityResolution , let's briefly review AsNoTracking() . By default, EF Core tracks all entities returned from queries in the change tracker. This tracking enables: Automatic detection of changes to entities Update operations without explicitly attaching entities Identity resolution (ensuring only one instance per entity exists in memory) However, tracking comes with overhead. When you're performing read-only operations where you don't need to update data, AsNoTracking() improves performance by skipping the change...
Recent posts

Securing File Uploads Part 4: Malware Scanning with Windows AMSI

Welcome to the final post in our file upload security series. We've covered content type validation, file size validation, and file signature validation—each providing a crucial layer of defense. Today, we're implementing the final and most sophisticated protection: malware scanning using Windows Antimalware Scan Interface (AMSI) . The last line of defense Even after all our previous validation steps, a determined attacker could still upload malicious content: A legitimate PDF with embedded JavaScript exploits A valid Office document containing malicious macros An actual image file with embedded steganographic payloads A genuine archive containing malware Zero-day exploits targeting file processing libraries These files pass all our previous validations because they are legitimate file formats—they're just weaponized. This is where malware scanning becomes essential. Why AMSI? Windows Antimalware Scan Interface (AMSI) is a powerful, oft...

Using Personal Access Tokens(PAT) to clone Azure DevOps Git Repositories

When working with Azure DevOps repositories, Personal Access Tokens (PATs) offer an alternative to traditional authentication. Although I would not recommend them for general usage, there are some scenario's where a PAT is a secure option providing security through scoped permissions, expiration dates, and the ability to revoke access without changing your primary credentials. I had a situation where I needed to clone a set of GIT repositories and run a scan on each repository. As the script would be running for a long time I thought it would be better to create and use a PAT instead of my own account. Creating a Personal Access Token (PAT) Sign in to your Azure DevOps organization Click on your profile icon in the top right corner Select "Personal access tokens" Click "+ New Token" Configure your token: Give it a meaningful name Set an expiration date Select the organization Under "Scopes," ...

Securing File Uploads Part 3: File Signature Validation

In our previous posts, we covered content type validation and file size validation as the first two layers of defense in our file upload security pipeline. Today, we're diving into what I consider the most critical validation step: file signature validation , also known as "magic number" validation. This is where we stop trusting what files claim to be and start verifying what they actually are. The Problem: files that lie Here's a sobering truth: both content type headers and file extensions are trivially easy to manipulate. An attacker can: Rename malicious.php to harmless.jpg Upload a PHP web shell with the content type set to image/jpeg Disguise an executable as a PDF by simply changing the extension Bypass your content type validation while still delivering malicious payloads Consider this scenario: Your application accepts image uploads for user profiles. You've implemented content type validation that only allows image/jpeg , image/...

Securing File Uploads Part 2: File Size Validation

In the first post of this series, we explored how content type validation serves as the first line of defense against malicious file uploads. Today, we're tackling another critical security concern: file size validation and why it's essential for protecting your application from resource exhaustion attacks. The threat: Death by a thousand uploads File size validation might seem like a simple feature requirement, but it's actually a crucial security control. Without proper size limits, attackers can: Exhaust disk space : Fill up your storage with massive files, causing system failures Consume bandwidth : Drain network resources by uploading gigantic files repeatedly Trigger out-of-memory errors : Crash your application by forcing it to process files larger than available memory Enable denial-of-service attacks : Tie up server resources processing oversized files, preventing legitimate users from accessing your application Inflate storage costs : In c...

Securing File Uploads: Content Type Validation–A defense against malicious files

File upload functionality is a common feature in web applications, but it's also one of the most common attack vectors. A recent security review of our applications revealed some vulnerabilities in our file upload handling that needed our attention. This is the first post in a series where I'll share how we systematically secured our file upload functionality. The problem The fundamental issue with file uploads is trust. When users upload files, we're essentially allowing them to store content on our servers. Without proper validation, attackers can: Upload malicious scripts disguised as innocent files Bypass security controls by manipulating file extensions Execute server-side code through crafted payloads Consume excessive server resources with oversized files The first line of defense? Content type validation . Our approach: A validation pipeline Rather than implementing ad-hoc validation checks scattered throughout our codebase, we designed a...

Discovering Visual Studio 2026 – Bring your own model

Yes! The new Visual Studio 2026 edition is available in preview (now called Insiders). I'll take some time this week to walk through some of the features I like and maybe some of the rough edges I discover along the way. A feature that exists for a while in VS Code but didn’t made it yet in Visual Studio, finally arrived in Visual Studio 2026. You are no longer limited to use any of the built-in models that Visual Studio supports, but you can now connect to your own language models. Selecting a model To select a different model, go to the models dropdown in the Copilot Chat window : Click on the dropdown and choose Manage Models :   This will open up the Bring your own model window:   Here you can select a model from any of the available providers; Anthropic, Google, OpenAI and xAI:   After entering your API key, you can select one or more models supported by the chosen provider:   Unfortunately, you don’t have the option yet to choose a loc...