NDC Oslo 2016

Scott Brady
Scott Brady
NDC Oslo 2016 exhibition hall

So I’ve just got back to my hotel from the final day of NDC Oslo 2016 and as you always end being after these things, I’m shattered. I came with the objective of finally getting some learning on ASP.NET Core (however much it may have pained me) and where better to do it at one of the biggest and most respected conferences going? Whilst I may have started off with ASP.NET Core in mind, I soon got distracted by the high quality security speakers and wide range of subjects.

I think the best write up I can give is to talk through the experience and then list the talks that I attended, making recommendations where possible about which speaker or talks you should keep an eye out for.


I had no idea this conference would be as big as it was. The conference was hosted in the Oslo Spektrum, which has a maximum capacity of 10,500 and is more commonly used to host international pop stars (they were currently advertising for Macklemore & Ryan Lewis). Instead of the usual crowd you had a bunch of software developers using the central standing area as an exhibition and catering hall, with the seated areas sectioned off as breakout rooms.

NDC Oslo Overflow Room

What I found useful towards the end, and wish I had known about sooner, was the overflow room. This area had a live feed to all of the breakout rooms on a large projector (and a commanding view of the exhibition area) and upon entering you were given a headset that could tune in to any of them. So if you were unsure about any of the talks you could just use this room instead and merely have to switch audio channels and crane your neck a bit, instead of doing the walk of shame out of the room whilst the speaker glares at you.

The days are pretty long, running on average from 0900 to 1900, with 20 minutes between each talk and an hour for lunch. There was no limit on how much food you could eat, with various stalls serving small portions of the theme they were running. Unfortunately the coffee wasn’t great, there was one snobby coffee stall (I do love a coffee snob, they may be rude but they’ll ensure you get a good coffee) but unfortunately it was nothing to write home about.

Most importantly there’s a shrimp cruise, which I’d wholly recommend just for the chance for you to talk to some of the speakers and take in the views of Norway (and not just Oslo city center).

NDC Oslo Fjord Cruise NDC Oslo Fjord Cruise - other boat


Community Tuesday

  • Moriarty hacking 2016 (Chris Dale) - An interesting demonstration attack by a professional penetration tester. Interactive in that he allowed the audience to choose the attack method.
  • CSP: RIP XSS (Christian Wenz) - An in depth talk on CSP features and versions. This made me go to every talk the presenter had from then on.


  • Yesterday’s Technology is Dead, Today’s is on Life Support (Keynote, Troy Hunt) - We all know and love Troy Hunt and his universally appealing presenting style. You couldn’t have asked for a more appropriate keynote speaker.
  • ASP.NET Core 1.0 Deep Dive (David Fowler and Damien Edwards) - I did enjoy it when they accidentally showed a package with an ASP.NET Core RC3 version number... Which they hastily brushed off as a "build artefact".
  • Authentication and secure API access for native & mobile Applications (Dominick Baier) - A look into Dom’s recent work with native & mobile clients using PoP tokens and PKCE. Good starting points for these concepts. Dom said Troy Hunt’s name at one point and then his microphone mysteriously stopped working… Damn it, Troy.
  • My Favorite Azure Security Features - and why you should care ( Michele Bustamante) - A whirlwind tour of Azure AD, Security Center and Key Vault to name a few. I thought I knew a lot about Azure already but there’s a whole new area for security I need to get some experience with. Plus some comparisons to draw between the modern Azure AD and Identity Server.
  • Can We Build Whatsapp with Xamarin and Azure in 60 Minutes? Yes we can! (Ariel Ben Horesh) - But we didn’t. Interesting enough but it used a lot of pre created code, which I wasn’t expecting from the title. It would have been nice to see at least one of the components fleshed out a bit more or maybe more of a discussion on why certain technologies were chosen and forsake the coding entirely.
  • ASP.NET Identity 3 (Brock Allen) - Good intro talk to ASP.NET Identity which walks through the new templates provided by ASP.NET Identity 3. Also a good talk to see the new features and changes from v2.
  • Performance Optimizations in the Wild (Oren Eini) - One of the guys behind RavenDB showing scarily complex performance optimizations that we should never use ourselves. Warning heeded.


  • .NET Data Security : Hope is not a Strategy (Stephen Haunts) - Nothing like an hours worth of encryption theory first thing in the morning. I will definitely be following this up with his pluralsight course and recommended reading.
  • Is your code ready for .NET Core? (Mark Rendle) - Some lovely sweeping statements but still a good overview of what has made it into .NET Core (as of RC2), what hasn’t and which technologies you should start learning as modern .NET developers.
  • ASP.NET 5: What has changed for MVC and Web API developers? (Manfred Steyer) - A more in depth look at some of the API changes in ASP.NET Core and some useful pointers in getting started with the new patterns and practices.
  • We Replaced a Multi-Application Home-Grown Authentication System (Ken Dale) - Not quite as advertised, as it walked through their company’s experience with facing a problem, not the problem or solution itself. Not my prefered kind of talk but an interesting speaking style.
  • Web Application Security: Lessons Learned (Christian Wenz) - A walkthrough of some of the highest profile attacks in recent years. A good lesson in what can go wrong and why.
  • Website Fuzziness (Niall Merrigan) - Unusual name for a talk but turned out to be an introduction to some of the most popular penetration testing tools around - I’m hooked.
  • Lessons from a quarter of a billion breached records (Troy Hunt) - Yeah, he’s always good. Mostly content from his past talks and blog posts, but entertaining nonetheless. Included an onstage update of haveibeenpwned to one billion records.


  • Web Performance 2016: Myths and Truths (Christian Wenz) - Christian again, this time walking through the web performance rules from the popular 14 Rules for Faster-Loading Websites by Steve Souders, looking at which apply and how HTTP/2 will change them.
  • Python: An Amazing Second Language for .NET Developers (Michael Kennedy) - I came out of this talk psyched to use Python and immediately downloaded PyCharm. What I’m actually going to do with Python, I don’t know, but it sure did get me excited!
  • Learn the Lingo: Design Patterns (Jeremy Clark) - An amusing talk on how you’ve probably been using most design patterns everyday. Makes you look past the academia.
  • Break the chain asynchronously (Daniel Marbach) - Async/await and the Chain of Responsibility pattern. So many Funcs. My brain hurt at the end.
  • How to become Agile without Scrum or Kanban (Kjell Ljøstad) - With a title that sounds like your typical Agile talk, it turned out to a fantastic talk on how to build workplace relationships and work effectively with other engineers (we can be a prickly bunch).
  • Everything I know about computers, I learned from the movies: Reloaded (Mark Rendle) - On one stage machine learning. On the other, clips of films showing bad NCIS clips.


Exhibitors means one thing: freebies! But of note (aka who had the coolest laptop stickers) were Jetbrains and GitHub, who I had an interesting conversation with regarding their remote working setup, despite myself starting the conversation with "so what do you guys get out of this" (see all other exhibitors selling something in some way). Talking of which, I also saw OzCode for the first time, which I’ll need to make a point of checking out.

Laptop Stickers - Top Laptop Stickers - Bottom

Other Notes

As someone who works with Identity Server, I thought it was great that about 50% of the talks I went to gave mention to the project, even when the speaker was explaining the benefits of the competing Azure AD! It’s great to see its growing popularity in both usage and community support.

Also, despite this being a conference filled with cutting edge technology and concepts, there were still two demos that used a WinForm app.

You can find the growing catalog of uploaded videos on vimeo here.

This conference provided me with two things: get me psyched to dive into and write about loads of new and interesting topics but also to reaffirm my own speaking style. I plan on presenting at events over the next year and seeing what styles and topics have appealed to not only me but more importantly others, has been enlightening.

For instance there is no way I could stand up and talk about "my experience learning x" or "my process solving y", I just wouldn’t think I was giving the audience their money's worth and therefore have the confidence to convey it effectively. Instead I find it needs to be something I believe in and that is new or eye opening for the audience. From what I saw from the reviews given by others, at least the Scandinavians agree with me in this sentiment.

So overall the conference was a huge success, I got the knowledge I came to get and have opened up a new avenue of research and learning to explore. I’ve come away from it feeling inspired and excited about the future, just like you are meant to.