InterSystems Security Contest
Security wanted!
Welcome to the next InterSystems online programming competition:
π InterSystems Security Contest π
Duration: November 15 - December 05, 2021
Prizes: $9,450 in prizes!
.png)
Prizes
1. Experts Nomination - a specially selected jury will determine winners:
π₯ 1st place - $4,000
π₯ 2nd place - $2,000
π₯ 3rd place - $1,000
π 4-10th places - $100
2. Community winners - applications that will receive the most votes in total:
π₯ 1st place - $1,000
π₯ 2nd place - $500
π₯ 3rd place - $250
If several participants score the same amount of votes, they all are considered winners, and the money prize is shared among the winners.
Who can participate?
Any Developer Community member, except for InterSystems employees (ISC contractors allowed). Create an account!
π₯ Developers can team up to create a collaborative application. Allowed from 2 to 5 developers in one team.
Do not forget to highlight your team members in the README of your application β DC user profiles.
Contest Period
π November 15 - 28: Application development and registration phase.
β November 29 - December 05: Voting period.
Note: Developers can improve their apps throughout the entire registration and voting period.
The topic
In the security contest, we encourage developers to share the solutions that show how to perform security tasks related to InterSystems IRIS and InterSystems IRIS for Health. We invite you to contribute apps that will reveal tasks related to the Authentication, Authorization, Auditing and Encryption parts of the InterSystems Security Model.
Such tasks could be:
- OAuth/OpenID/SAML/LDAP Authentication implementations.
- PKI implementations
- Access Management to certain parts of a REST API: application-level security, role/user-level security.
- Access Management to data: on a database, table, column, or row-level access.
- Access to interoperability components
- Access to IRIS BI components: cubes, pivots, dashboards etc.
- DevOps questions of authorization (users, roles, resources) and authentication (OAuth) settings.
- Developer and support tools related to authentication and authorization.
- Your idea!
Requirements:
- Accepted applications: new to Open Exchange apps or existing ones, but with a significant improvement. Our team will review all applications before approving them for the contest.
- The application should work either on IRIS Community Edition or IRIS for Health Community Edition or IRIS Advanced Analytics Community Edition.
- The application should be Open Source and published on GitHub.
- The README file to the application should be in English, contain the installation steps, and contain either the video demo or/and a description of how the application works.
Helpful resources
1. For beginners with InterSystems IRIS:
2. For beginners with ObjectScript Package Manager (ZPM):
- How to Build, Test and Publish ZPM Package with REST Application for InterSystems IRIS
- Package First Development Approach with InterSystems IRIS and ZPM
3. How to submit your app to the contest:
4. Documentation, courses, and videos:
- Security Documentation
- Course: InterSystems Security Basics
- Video: Active Directory Integration with LDAP
- Video: Configuring a Web Server for IIS for Better Performance and Security
- Video: Webinar: Securing the Management Portal
- Video: Advances in Security
- Article: Building an FHIR Repository + OAuth2 Authorization Server/Resource Server Configuration on IRIS for Health Part 1
- Article: InterSystems IRIS Open Authorization Framework (OAuth 2.0) implementation - part 1
- Article: Protect your REST API applying OWASP Top Ten
5. Templates
Judgment
Voting rules will be announced soon. Stay tuned!
So!
We're waiting for YOUR project β join our coding marathon to win!
βοΈ Please check out the Official Contest Terms here.βοΈ
Comments
My suggestion is an implementation to pseudonymization or anonymization to protect sensitive data to not fall within the scope of the GDPR or LGPD(Brazilian version of GDPR) could fits to the security contest. I planning to do something like that if it fits
I like that idea, Henry. Either update real data to fake data or just create fake data for testing.
It is a contest about security not about privacy. In the rules, it is necessary use InterSystems Security Model.
Yuri, yes, data anonymization and obfuscation is not a part of the InterSystems Security model but it's an interesting topic related to secure IT practicies. And regarding privacy - I think it becomes privacy when you agree or disagree with the consent. So IMHO privacy begins when the solution is implemented which we don't expect to see in the contest :)
Consent in the privacy is a legacy resource, because all days we give consent without read the contract and conditions. Now, to reach privacy, you need to use the resource of transparency. When the user know what the data controller did with your data and it is allowed to the data holder manage data sharings, get reports and claim privacy rights using this transparency, you get the real privacy. Gdpr, lgpd is about it. Is not about cypher data or allows a consent opt in, but to give to the holder the power to manage all aspects about your data. So to expand the security contest with privacy, will require to you review all current rules. The risk to see apps using 95% from another technologies and 5% of iris it is real with this expansion. While when you has the requirement to use intersystems security model, we have more chance to see apps with intensive use of iris
Encryption is the part of InterSystems security model. I think the data anonymization task is close to data encryption, isn't it?
And privacy regulations can even deal with anonymized and unencrypted data. If @Henry Pereira removes GDPR or LGPD terms from the question (which are the potential implementation goals), will the case work as a security topic?
So our contest is not about privacy. But we can include encryption and data obfuscation/anonymization.
IRIS has encryptation already, but not anonymization. Is a valid security topic.
We expanded the topic for Auditing and Encryption too. So, @Henry Pereira, your idea meets the contest requirements - please apply for the contest!
@Yuri Marx, thanks for your attention and useful comments as always!
Henry, it's an interesting topic! If we don't see strong objections and concerns we'll expand the scope of the contest.
Thank you @Yuri Marx and @Evgeny Shvarov for all enlightenment. I will follow the advice to remove GDPR and LGPD from the implementation goal and will focus on anonymization data, if it's included on scope.
Hey Developers!
Are you started creating your solutions? We are waiting to see them!
Don't forget, that the new InterSystems Security Contest is starting on Monday!
So, good luck to everybody!
Added an example of REST API with basic authentication and users deployed and an example of roles authorization implemented.
Hey Devs!
The registration period is finally started! Join our Security Contest!
Here is the landing page: https://contest.intersystems.com/
WOW! Developers!
There are already 2 applications that have been uploaded by @Sergey Mikhailenko ! What a speed! β‘
appmsw-forbid-old-passwd
isc-apptools-lockdown
Go check it out!
So, who will be next?
Hey Developers,
The recording of the InterSystems Security Contest Kick-off Webinar is available on InterSystems Developers YouTube!
Please welcome:
Hey Community!
We are waiting for your participation in the Security Contest!
Here is the landing page: https://contest.intersystems.com/
Hello Developers!
The first week of the registration period has ended, so only one week left!
So, upload your applications and participate!
Wow, participants have added new apps!π Let's see them:
passwords-tool by @Dmitry Maslennikov
API Security Mediator and Audit Mediator by @Yuri Marx
iris-disguise by @Henry Pereira
Developers, only 3 days left till the end of the registration period. Hurry up!
Happy coding)
Hi Community!
Only 2 days left before the start of voting.
Hurry up to upload your application! 
Community!
Last call! Today is the last day of registration!
5 more articles gave been added to the competition!
iris-saml-example by @Dmitry Maslennikov
Server Manager 3.0 Preview by @John Murray
appmsw-dbdeploy by @Sergey Mikhailenko
Data_APP_Security by @Muhammad Waseem
IRIS Middlewares by @Davi Massaru Teixeira Muta