Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hi Community,
Join us for this introduction to the terminology and workflow of using OAuth 2.0 with an HL7 FHIR server:
How to Configure and implement X509 users to allow login into cache without password.
Hi,
Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?
Thanks
Kiran Kumar
I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.
The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).
For Caché to use this, I get that there is an environment variable (REMOTE_USER) which is set to "something", but it's not clear to me how this ends up mapping to a provisioned caché user (or LDAP provisioned user for that matter) and ultimately to the %Roles in effect and subsequent system access.
How to check if the password is strong enough, so it will not be cracked very fast? And how to make a strong password?
I've developed a tool that may help with this. You can find it on OpenExchange. Install it with zpm
zpm "install passwords-tool"
This module will install just one class caretdev.Passwords, which contains a few helpful methods in it
To get a secure password it's usually enough to use letters in upper and lower case, digits, and special symbols, and it should be at least 8 symbols long.
Method Generate with parameters
I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?
Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.
Maybe I am not looking at the right place for documentation, but is there a Best Practice guide, set of instructions, or Online learning that can help guide me in trying to make our environment more secure?
Hey Community,
Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:
The XData (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GOBJ_XDATA) is a powerful feature to set documentation and metadata information for classes and methods. The %CSP.REST class uses XDATA to mapping REST calls (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GREST_csprest), so in this article you will see how to use XData into your apps as code, not only as documentation.
Hi Community,
New video is already on InterSystems Developers YouTube:
⏯ Updates on Security: OpenSSL and a New "Security" Database
What about having your IRIS REST APIs scanned every push you did and being reported on possible vulnerabilities? This is what I am going to show you in this article.
Recently, we had the Security Contest with amazing applications and examples showing how to improve security on your IRIS solutions. One of such examples was the zap-api-scan-sample, made by me and my colleague Henrique Dias. Our application shows how to use the OWASP ZAP API scanner to perform security tests on your REST APIs OpenAPI definitions generated by IRIS.
In my previous post I described how to install the pre-release of the Server Manager 3 extension and benefit from enhanced security for your stored credentials.
Now by upgrading to the latest release (1.2.7) of the InterSystems Language Server and opting in to the 1.3 pre-release of the ObjectScript extension you get the additional reassurance of being notified whenever either of those extensions try to access stored credentials for the first time.
Hi Community,
We're pleased to invite you to the online meetup with the winners of the InterSystems Security contest!
Date & Time: Friday, December 10, 2021 – 11:00 EDT
What awaits you at this virtual meetup?
Hey Developers,
The InterSystems Security contest is over. Thank you all for participating in our coding competition!
So it's time to announce the winners!
A storm of applause goes to these developers and their applications:
Hey Community,
We want to hear from you! Give us your feedback on the past InterSystems Security programming contest! Please answer some questions to help us improve our contests.
👉 Quick survey: InterSystems Security Programming Contest Survey
I need to store an equivalent of the SNN (Social Security number). I need it to be encrypted and I'll have to be able to search for it once stored.
For what I've seen my options are:
- SHAHash from the %system.encryption library. Simple and easy to implement. My question is, might collisions be a problem? We are talking about a 10 millions entry.
- AES encryption. In this case I'd like to know if there is a standard way for key management in the InterSystems environment.
I can eventually get a certificate for this project to use other encryption function as well.
Open to suggestions.
Hey Developers,
This week is a voting week for the InterSystems Security contest! So, it's time to give your vote to the best solutions built with InterSystems IRIS.
🔥 You decide: VOTING IS HERE 🔥
How to vote? Details below.
Hi contestants!
We've introduced a set of bonuses for the projects for the Interoperability Contest 2021!
Here are projects that scored it:
| Project |
Basic Auth |
Bearer/JWT |
OAuth |
Authorization |
Auditing |
Encryption |
Docker |
ZPM |
Online Demo |
Code Quality |
Article on DC |
Video on YouTube |
Total Bonus |
| Nominal | 2 | 3 | 5 | 2 | 2 | 2 | 2 | 2 | 3 | 1 | 2 | 3 | 29 |
| appmsw-forbid-old-passwd | 2 | 2 | 2 | 1 | 2 | 9 | |||||||
| isc-apptools-lockdown | 2 | - | - | 1 | 2 | 5 | |||||||
| passwords-tool | 2 | 2 | 1 | 2 | 7 | ||||||||
| API Security Mediator | 2 | 2 | 2 | 2 | 2 | 3 | 1 | 6 | 3 | 23 | |||
| Audit Mediator | 2 | 2 | 2 | 1 | 4 | 3 | 14 | ||||||
| iris-disguise | 2 | 2 | 1 | 4 | 3 | 12 | |||||||
| iris-saml-example | 5 | 2 | 2 | 2 | 3 | 1 | 2 | 17 | |||||
| Server Manager 3.0 Preview | 2 | 4 | 6 | ||||||||||
| appmsw-dbdeploy | 2 | 2 | 1 | 2 | 7 | ||||||||
| Data_APP_Security | 2 | 5 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 3 | 26 | ||
| IRIS Middlewares | 2 | 1 | 3 | ||||||||||
| TimeTracking-workers | 2 | 2 | 1 | 5 | |||||||||
| zap-api-scan-sample | 2 | 1 | 4 | 3 | 10 | ||||||||
| https-rest-api | 2 | 2 |
Please apply with your comments here in the posts or in Discord.
The InterSystems IRIS has a great audit system. It is responsible for auditing system events, but you can use it to audit your applications (great feature).
The audit system is based into event concept. The events can occur with IRIS or in an application. So, we have two type of events to the audit system:
1. System events: events occured into the InterSystems IRIS components (database, interoperability, analytics and core);
Created by Daniel Kutac, Sales Engineer, InterSystems
Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.
Part 2. Authorization server, OpenID Connect server
The InterSystems Server Manager extension for Visual Studio Code lets you define connections to your servers, list their namespaces and edit or view code there. You can also launch Portal for a server.
Server Manager 3.0 improves security by becoming a VS Code Authentication Provider. It is my entry for the November 2021 InterSystems Security Contest. Click here to visit the contest page where you may decide to vote for this entry. Please ignore the clickable "Contestant" label on this article header above, as it relates to a different contest for new DC articles. If you want to support me in that contest, simply "like" this post.
Security wanted!
Welcome to the next InterSystems online programming competition:
🏆 InterSystems Security Contest 🏆
Duration: November 15 - December 05, 2021
Prizes: $9,450 in prizes!
.png)
Hi,
I recently needed to setup an SSL/TLS configuration in IRIS that supported mutual authentication (where the server IRIS is establish a connection to is verified, and, where IRIS is in turn verified by the remote host). After a bit of research and getting it done, I thought it worthwhile to just go over the process I went through in order to potential help others, and save you some time .
Hi Developers!
Here're the technology bonuses for the Security Contest 2021 that will give you extra points in the voting:
See the details below.
Hi Community,
We are pleased to invite all the developers to the upcoming InterSystems Security Contest Kick-off Webinar! The topic of this webinar is dedicated to the Security contest.
We’ll discuss the aspects of Security Model implementation in InterSystems IRIS, the requirements, and what do we expect from participants of the Security contest. Also, we’ll answer all the questions related to the contest!
Date & Time: Monday, November 15 — 12:00 AM EDT
Speakers:
🗣 @Andreas Dieckow, Principal Product Manager at InterSystems Corporation
🗣 @Evgeny Shvarov, InterSystems Developer Ecosystem Manager
Good morning -
As we're starting to create more custom message classes to represent out JSON-based integrations, I was pondering how to implicitly grant SELECT privileges to a specific Security Role so they can utilize Message Viewer to search through the message history.
Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.
Thanks
Scott
Over the past year or so, my team (Application Services at InterSystems - tasked with building and maintaining many of our internal applications, and providing tools and best practices for other departmental applications) has embarked on a journey toward building Angular/REST-based user interfaces to existing applications originally built using CSP and/or Zen. This has presented an interesting challenge that may be familiar to many of you - building out new REST APIs to existing data models and business logic.
How do you determine what namespace to use for your custom SAML attributes? We want to receive patient context (first name, last name, dob, gender, etc.)
OASIS has resource-id but none of the other attributes. urn:oasis:names:tc:xacml:1.0:resource:resource-id
Does Caché or IRIS have Data Masking capability natively to Test/Dev/Report environment, like other databases?
Hi Community,
Did you know about OWASP and Top Ten Web Application security risks to your Web API or Web Apps?
OWASP is a community foundation created to help us to improve the security of web apps/web APIs. OWASP do the web apps more secure through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.