InterSystems Security Contest

Announcement

Anastasia Dyubaylo · Nov 1, 2021

#Contest #Events #Security #Developer Community Official #InterSystems IRIS #IRIS contest #Open Exchange

Security wanted!

Welcome to the next InterSystems online programming competition:

🏆 InterSystems Security Contest 🏆

Duration: November 15 - December 05, 2021

Prizes: $9,450 in prizes!

Prizes

1. Experts Nomination - a specially selected jury will determine winners:

🥇 1st place - $4,000

🥈 2nd place - $2,000

🥉 3rd place - $1,000

🌟 4-10th places - $100

2. Community winners - applications that will receive the most votes in total:

🥇 1st place - $1,000

🥈 2nd place - $500

🥉 3rd place - $250

If several participants score the same amount of votes, they all are considered winners, and the money prize is shared among the winners.

Who can participate?

Any Developer Community member, except for InterSystems employees (ISC contractors allowed). Create an account!

👥 Developers can team up to create a collaborative application. Allowed from 2 to 5 developers in one team.

Do not forget to highlight your team members in the README of your application – DC user profiles.

Contest Period

🛠 November 15 - 28: Application development and registration phase.

✅ November 29 - December 05: Voting period.

Note: Developers can improve their apps throughout the entire registration and voting period.

The topic

In the security contest, we encourage developers to share the solutions that show how to perform security tasks related to InterSystems IRIS and InterSystems IRIS for Health. We invite you to contribute apps that will reveal tasks related to the Authentication, Authorization, Auditing and Encryption parts of the InterSystems Security Model.

Such tasks could be:

OAuth/OpenID/SAML/LDAP Authentication implementations.
PKI implementations
Access Management to certain parts of a REST API: application-level security, role/user-level security.
Access Management to data: on a database, table, column, or row-level access.
Access to interoperability components
Access to IRIS BI components: cubes, pivots, dashboards etc.
DevOps questions of authorization (users, roles, resources) and authentication (OAuth) settings.
Developer and support tools related to authentication and authorization.
Your idea!

Requirements:

Accepted applications: new to Open Exchange apps or existing ones, but with a significant improvement. Our team will review all applications before approving them for the contest.
The application should work either on IRIS Community Edition or IRIS for Health Community Edition or IRIS Advanced Analytics Community Edition.
The application should be Open Source and published on GitHub.
The README file to the application should be in English, contain the installation steps, and contain either the video demo or/and a description of how the application works.

Helpful resources

1. For beginners with InterSystems IRIS:

2. For beginners with ObjectScript Package Manager (ZPM):

3. How to submit your app to the contest:

4. Documentation, courses, and videos:

5. Templates

Secured REST API example

Judgment

Voting rules will be announced soon. Stay tuned!

So!

We're waiting for YOUR project – join our coding marathon to win!

❗️ Please check out the Official Contest Terms here.❗️

Henry Pereira · Nov 4, 2021

My suggestion is an implementation to pseudonymization or anonymization to protect sensitive data to not fall within the scope of the GDPR or LGPD(Brazilian version of GDPR) could fits to the security contest. I planning to do something like that if it fits

1 0

Oliver Wilms · Nov 4, 2021

I like that idea, Henry. Either update real data to fake data or just create fake data for testing.

Yuri Marx · Nov 5, 2021

It is a contest about security not about privacy. In the rules, it is necessary use InterSystems Security Model.

0 0

Evgeny Shvarov · Nov 7, 2021

Yuri, yes, data anonymization and obfuscation is not a part of the InterSystems Security model but it's an interesting topic related to secure IT practicies. And regarding privacy - I think it becomes privacy when you agree or disagree with the consent. So IMHO privacy begins when the solution is implemented which we don't expect to see in the contest :)

Yuri Marx · Nov 7, 2021

Consent in the privacy is a legacy resource, because all days we give consent without read the contract and conditions. Now, to reach privacy, you need to use the resource of transparency. When the user know what the data controller did with your data and it is allowed to the data holder manage data sharings, get reports and claim privacy rights using this transparency, you get the real privacy. Gdpr, lgpd is about it. Is not about cypher data or allows a consent opt in, but to give to the holder the power to manage all aspects about your data. So to expand the security contest with privacy, will require to you review all current rules. The risk to see apps using 95% from another technologies and 5% of iris it is real with this expansion. While when you has the requirement to use intersystems security model, we have more chance to see apps with intensive use of iris

Encryption is the part of InterSystems security model. I think the data anonymization task is close to data encryption, isn't it?

And privacy regulations can even deal with anonymized and unencrypted data. If @Henry Pereira removes GDPR or LGPD terms from the question (which are the potential implementation goals), will the case work as a security topic?

So our contest is not about privacy. But we can include encryption and data obfuscation/anonymization.

IRIS has encryptation already, but not anonymization. Is a valid security topic.

Evgeny Shvarov · Nov 14, 2021

We expanded the topic for Auditing and Encryption too. So, @Henry Pereira, your idea meets the contest requirements - please apply for the contest!

@Yuri Marx, thanks for your attention and useful comments as always!

Henry, it's an interesting topic! If we don't see strong objections and concerns we'll expand the scope of the contest.

Henry Pereira · Nov 8, 2021

Thank you @Yuri Marx and @Evgeny Shvarov for all enlightenment. I will follow the advice to remove GDPR and LGPD from the implementation goal and will focus on anonymization data, if it's included on scope.

Iryna Mologa · Nov 10, 2021

Hey Developers!

Are you started creating your solutions? We are waiting to see them!

Don't forget, that the new InterSystems Security Contest is starting on Monday!

So, good luck to everybody!

Added an example of REST API with basic authentication and users deployed and an example of roles authorization implemented.

Iryna Mologa · Nov 15, 2021

Hey Devs!

The registration period is finally started! Join our Security Contest!

Here is the landing page: https://contest.intersystems.com/

Iryna Mologa · Nov 16, 2021

WOW! Developers!

There are already 2 applications that have been uploaded by @Sergey Mikhailenko ! What a speed! ⚡

appmsw-forbid-old-passwd
isc-apptools-lockdown

Go check it out!

So, who will be next?

Iryna Mologa · Nov 17, 2021

Hey Developers,

The recording of the InterSystems Security Contest Kick-off Webinar is available on InterSystems Developers YouTube!

Please welcome:

⏯InterSystems Security Contest Kick-off Webinar

https://www.youtube.com/embed/rkazbUpM6Dc
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]