Hurray for security!

If you're connecting to a local server and doing isolated development with a throwaway account, just store your password in plain text in the settings.json configuration file. But if you're working with a shared server using a "real" user account, it's a good idea to protect that information.

1 0
1 219

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

0 2
1 351
Question
· Aug 15, 2022
Security Scans

We are looking for a 3rd party application that can scan our IRIS based Cache Object Script code for vulnerabilities or coding weaknesses. There are many, many applications/vendors out there that do code scanning but none seem to support Cache Object Script or scanning the IRIS environment. If anyone is aware of a company/product that can scan our code / IRIS environment, I would love to hear about it.

Thanks in advance for the help.

Mike

0 3
0 315

Hey Developers,

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

InterSystems IRIS Container Updates

https://www.youtube.com/embed/ZbzP7m0HDkU
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

0 0
0 209

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

0 6
0 284

Hey Developers,

In the second part, you will learn how to build a FHIR Application with OAuth 2.0 and OKTA:

Securing FHIR Applications with OAuth 2.0 (Part 2)

https://www.youtube.com/embed/4Dk9MYrWaX8
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

0 0
0 241

I am sure I came across this in the past with Cache and just saw this again in IRIS.

When rebuilding or swapping a DAT file for a database it retains the Resource of the DAT file, not the Resource of the Database it is being used for.

For instance, if I have a local Database called APP with a resource %DB_APP and I want to refresh the data from another Database called TEST that has a Resource %DB_TEST I can just copy the DAT file from the TEST folder to the APP folder.

0 5
0 177
Article
· Mar 30, 2022 9m read
3DES support

There are several ways of classifying cryptographic algorithms: 1) Secret Key Cryptography (SKC) - Uses a single key for both encryption and decryption. It is also called symmetric encryption. Primarily, it was used for privacy and confidentiality; 2) Public Key Cryptography (PKC) - Uses one key for encryption and another one for decryption. It is also called asymmetric encryption.

4 6
1 292

Hi Community,

Join us for this introduction to the terminology and workflow of using OAuth 2.0 with an HL7 FHIR server:

Securing FHIR Applications with OAuth 2.0 (Part 1)

https://www.youtube.com/embed/dCf8qOCx8Mo
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

3 0
0 297

Hey Community,

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

InterSystems IRIS Container Updates

https://www.youtube.com/embed/u5ccd1kifwQ
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

5 0
0 200

Hi Community,

New video is already on InterSystems Developers YouTube:

Updates on Security: OpenSSL and a New "Security" Database

https://www.youtube.com/embed/Eb5kPw8-l08
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

3 0
0 252

Hi Community,

We're pleased to invite you to the online meetup with the winners of the InterSystems Security contest!

Date & Time: Friday, December 10, 2021 – 11:00 EDT

What awaits you at this virtual meetup?

  • Our winners' bios.
  • Short demos on their applications.
  • An open discussion about technologies being used. Q&A. Plans for the next contests.

https://www.youtube.com/embed/NBZiPhZzThg
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

3 2
0 404
Question
· Dec 2, 2021
SNN Encryption

I need to store an equivalent of the SNN (Social Security number). I need it to be encrypted and I'll have to be able to search for it once stored.

For what I've seen my options are:

- SHAHash from the %system.encryption library. Simple and easy to implement. My question is, might collisions be a problem? We are talking about a 10 millions entry.

- AES encryption. In this case I'd like to know if there is a standard way for key management in the InterSystems environment.

0 2
0 295

Hi contestants!

We've introduced a set of bonuses for the projects for the Interoperability Contest 2021!

Here are projects that scored it:

Project

Basic Auth

Bearer/JWT

OAuth

Authorization

Auditing

Encryption

Docker

ZPM

Online Demo

Code Quality

Article on DC

Video on YouTube

Total Bonus

Nominal 2 3 5 2 2 2 2 2 3 1 2 3 29
appmsw-forbid-old-passwd 2 2 2 1 2 9
isc-apptools-lockdown 2 - - 1 2 5
passwords-tool 2 2 1 2 7
API Security Mediator 2 2 2 2 2 3 1 6 3 23
Audit Mediator 2 2 2 1 4 3 14
iris-disguise 2 2 1 4 3 12
iris-saml-example 5 2 2 2 3 1 2 17
Server Manager 3.0 Preview 2 4 6
appmsw-dbdeploy 2 2 1 2 7
Data_APP_Security 2 5 2 2 2 2 3 1 4 3 26
IRIS Middlewares 2 1 3
TimeTracking-workers 2 2 1 5
zap-api-scan-sample 2 1 4 3 10
https-rest-api 2 2

Please apply with your comments here in the posts or in Discord.

2 17
0 382
Article
· Nov 29, 2021 3m read
Previewing Server Manager 3.0 for VS Code

The InterSystems Server Manager extension for Visual Studio Code lets you define connections to your servers, list their namespaces and edit or view code there. You can also launch Portal for a server.

Server Manager 3.0 improves security by becoming a VS Code Authentication Provider. It is my entry for the November 2021 InterSystems Security Contest. Click here to visit the contest page where you may decide to vote for this entry. Please ignore the clickable "Contestant" label on this article header above, as it relates to a different contest for new DC articles. If you want to support me in that contest, simply "like" this post.

7 0
1 514
Article
· Nov 28, 2021 3m read
Leveraging the Audit database

The InterSystems IRIS has a great audit system. It is responsible for auditing system events, but you can use it to audit your applications (great feature).

The audit system is based into event concept. The events can occur with IRIS or in an application. So, we have two type of events to the audit system:

1. System events: events occured into the InterSystems IRIS components (database, interoperability, analytics and core);

2 4
1 560
Article
· Nov 23, 2021 4m read
Mutual TLS setup

Hi,

I recently needed to setup an SSL/TLS configuration in IRIS that supported mutual authentication (where the server IRIS is establish a connection to is verified, and, where IRIS is in turn verified by the remote host). After a bit of research and getting it done, I thought it worthwhile to just go over the process I went through in order to potential help others, and save you some time .

4 1
1 764

Hi Developers!

Here're the technology bonuses for the Security Contest 2021 that will give you extra points in the voting:

  • Basic Authentication usage - 2
  • Bearer/JWT Authentication usage - 3
  • OAuth 2.0 usage - 5
  • Authorization components usage - 2
  • Auditing usage - 2
  • Data Encryption usage - 2
  • Docker container usage - 2
  • ZPM Package deployment - 2
  • Online Demo - 2
  • Code Quality pass - 1
  • Article on Developer Community - 2
  • Video on YouTube - 3

See the details below.<--break->

0 1
0 285