#Security

Hi Community,

Did you know about OWASP and Top Ten Web Application security risks to your Web API or Web Apps?

OWASP is a community foundation created to help us to improve the security of web apps/web APIs. OWASP do the web apps more secure through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

To summarize the top procedures to do your web app/web api more secure OWASP published the "Top 10 Web Application Security Risks" recomendations, see (source: https://owasp.

When a publish my API, only HTTP is available. How do I publish my REST API using HTTPS?

Hi Team,
I have a requirement to disable the Production Start/Stop buttons for specific support users. But they should be able to stat/stop Ensemble Hosts.
For that new Role, As per documentation along with other Ens resources, I have added %Ens_ConfigItemRun with RWU access and didnt add %Ens_ProductionRun resource.
This makes the Start/Stop buttons disappear from Production Configuration page ( meeting my requirement). But those users are Unable Start/Stop/Restart Ensemble Business Hosts.

There are many options to do a full security scan in your docker images, the most popular option is Anchore community edition.

Anchore will use the main public vulnerabilities databases available, including CVE.

To install Anchore is very ease (source: https://engine.anchore.io/docs/quickstart/), follow the steps:

1. Create a folder in your OS and download the anchor docker compose file to the created folder.
   

   curl -O https://engine.anchore.io/docs/quickstart/docker-compose.

I am getting the following error when trying to fect data from DeepSee:

"Error":"ERROR #5002: Cache error: <PROTECT>%Construct+3^%DeepSee.ResultSet.1 ^DeepSee.Cache.LocalResults(\"session\"),e:\\hs-db\\tfoms\\"

However, I cannot find the place this error points me to.

Specifically, it says 'Label %Construct + 3 lines, in the %DeepSee.ResultSet.1', but there does not seem to be such a place. I could only find the %DeepSee.ResultSet class and it does not have a lable named %Construct.

Hi folks!

Here is how I grant SQL access of user to a particular class/table:

GRANT SELECT, UPDATE ON Packacge_X.Table_Y TO UserZ

How can I grant SQL access of a certain user to a whole schema?

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old, legacy method, it will continue to work, but I would recommend you consider switching to the new one.

In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS.

In the first part, was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services.

Hello,

fine tuning access permissions is a difficult issue in Caché, at least for me as it seems. More generally, I would be interested in how to find out which permission a user is missing when a permission violation is logged. In this specific case a user, created in (from my point of view) an identical way as on other instances, is not allowed to execute an operation within a CSP service on the messagebank (which however works on the other machines). Unfortunately, the message in the errorlog does not tell where exactly the access violation occurs, or what permission is missing.

During some consulting activity, I found at the client's site CACHEAUDIT database of more than 100 GB size. The reason was simple: several processes produced a great amount of %System/%System/OSCommand audit records due to frequent external calls ($zf(-100,.)). As it is well-known, those events can be easily disabled systemwide, while this can be hardly considered secure enough. Reducing the number of days before audit cleanup from default 62 to some reasonable figure (e.g.

Can a license be reserved for a specific user or group of users? So if I have 20 available licenses, only allow other users to use 19 of them while keeping one open for this specific user?

Hello community,

I would like to report about a security issue, that engages us for some time meanwhile.

We configured a restricted user to read data from a csp page to feed our nagios server with information about configuration items we would like to have an eye upon. The configuration of this user is the same in our production and in our development environment. The called method mainly reads data from lookup tables by sql queries and writes data to a temporary table, which is deleted in the begining.

Hi everybody,

Is there any functionality I could use that triggers real time user-defined code on certain audit events? Right now I am interested in triggering such code on a routine modification event, like the one below. I do know how to access this record programmatically, via %SYS.Audit.

Thanks in advance,
Anna

Hey Folks,

I am creating my first record map to import a .txt file and eventually create a message outbound. When I try to pull in the sample file I get:

ERROR #5005:

Any ideas as to why? I have the sample .txt file saved as shown in the available directory. From what I have seen the #5005 error means the file is not available?

The InterSystems IRIS has two major paths to a digital service: API/Web Service into Interoperability module and multimodel Database/Analytics. Each of them has your security configuration.

To do API security you apply an OAuth or JWT plug-in to the API endpoint. So in the Admin Portal, API producer and consumers get the keys to authenticate the API and consume it. The Admin Portal allows you configure RBAC policies too.

To do WS security the best strategy is to use SAML. In the inbound/outbound SOAP message, include X.

About this article:

In InterSystems IRIS, the default form of access to the management portal is HTTP, which means that if the client is in the office and the server is in the cloud, many clients probably desire to encrypt their traffic in some way.

Thus, we would like to show you some ways to encrypt your traffic to and from the IRIS management portal (or various REST services) running on AWS.

This article uses the IRIS built-in apache server for access. It should not be used for benchmarking purposes or as a method of access from production environments applications.

Hello, I have an SSL / TLS configuration that used TLSv1.0 encryption.

However, I need to update to the TLS 1.2 version of encryption, and apparently Caché 2012.1 does not support it according to this link: https://community.intersystems.com/post/tls-v12-support-cach%C3%A9
 

Can I add a library to the Cache, enable TLSv1.2 in some way, or just a version update?

Hello,

In Caché Management Portal yo can see the SQL privileges per table.

For example : http://localhost:57772/csp/sys/sec/%25CSP.UI.Portal.User.zen?PID=P#3 (Page "SQL Tables").

Is it possible to get them by objectscript or SQL ?

Regards.

Hi Developers!

Want to raise security discussion today!

Let's discuss how InterSystems security for applications works. In general, the concept is clear: we have Resources (what to protect), Roles which combine a set of privileges and accesses to Resources and Users which can have this or that Role.

But there is also a concept of Application which also could have a Role.

So you either provide a Role for a User or for an Application.

What do you use in production? What is your strategy and why? Pros, cons?

How can you allow computers to trust one another in your absence while maintaining security and privacy?

“A Dry Martini”, he said. “One. In a deep champagne goblet.”
“Oui, monsieur.”
“Just a moment. Three measures of Gordons, one of vodka, half a measure of Kina Lillet. Shake it very well until it’s ice-cold, then add a large thin slice of lemon peel. Got it?”
"Certainly, monsieur." The barman seemed pleased with the idea.
Casino Royale, Ian Fleming, 1953

OAuth helps to separate services with user credentials from “working” databases, both physically and geographically. It thereby strengthens the protection of identification data and, if necessary, helps you comply with the requirements of countries' data protection laws.

With OAuth, you can provide the user with the ability to work safely from multiple devices at once, while "exposing" personal data to various services and applications as little as possible. You can also avoid taking on "excess" data about users of your services (i.e. you can process data in a depersonalized form).

By default InterSystems IRIS expose your endpoints using http, but can be necessary run https from your dev env and/or get public internet access to your app. You can buy or get a certificate and config a gateway, spending many hours or use a great public service called ngrok. Follow the steps:

1 - Run your app, I will use FHIR template as sample, see:

1.1 download the app: git clone https://github.com/intersystems-community/iris-fhir-template.git

1.2 go to the app dir: cd iris-fhir-template

1.3 run the app: docker-compose up -d

1.

Hello 

Is there an example how to configure the webgateway on linux with kerberos in the dokumentation I found something but not realy in detail so far I understand I need two priniples one service prinple account with for example iris/at-mie-centos_iris.balmie.local@BALMIE.LOCAL-> there is my first problem with the dokumendation the @BALMIE.LOCAL is not dokumented but if you create a keytabfile with ktpass you can't create this without domain. For the secound user principle I am totaly lost how it should work must be both account in the keytabfile?

Introduction

Nowadays, there is a lot of applications that are using Open Authorization framework (OAuth) to access resources from all kinds of services in a secure, reliable and efficient manner. InterSystems IRIS is already compatible with OAuth 2.0 framework, in fact, there is a great article in the community regarding OAuth 2.0 and InterSystems IRIS in the following link here.

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

Is it possible restrict access in IRIS from label data classification (ultra/top secret, restrict, ostensive, etc.)?

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

Hey Developers,

Check out the latest video on FHIR API Management:

⏯ FHIR API Management: Basic Configuration

⏯ FHIR API Management: FHIR Dev Portal

⏯ FHIR API Management: Logging and Monitoring

⏯ FHIR API Management: Security

Hi,

I am attempting to set up a security role for our support team so they can have read access to the production and messages.

I have given the role RW rights on the resource associated with the database. However, when I log into Management Portal and select "Ensemble", the "Available Ensemble namespaces" list is empty.

What permissions do i need to set to be able to navigate to the production?

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task. 

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python. 

If any lead, it would be appreciated. 

Thanks,

Arun Kumar Durairaj. 

About regulations

Personal data privacy regulations have become an indispensable requirement for projects dealing with personal data. The compliance with these laws is based on 4 principles:

1. Compliance with the rights of the holder of personal data;
2. Governance of personal data assets;
3. Privacy by Design and by Default;
4. Data protection.