Recent

Author Topic: What archetecture to choose.  (Read 7051 times)

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 1156
  • Professional amateur ;-P
Re: What archetecture to choose.
« Reply #30 on: March 26, 2021, 02:35:48 am »
Hey zamronypj,

I think patientID only needs to be unique. As long as generated patientID is unique, even only using  unix timestamp, it is ok.

If you are able to crawl any patient data without problems then it is authentication and authorization problem. proper authentication and authorization mechanism is solution.

I kinda disagree on this one.

Have you heard about the Swiss cheese approach to security/danger mitigating?

It's been brought up into our collective attention due to the pandemic and , in this particular case, you layer up simple mitigation methods so that the cons of each layer(holes in the cheese), don't line up.
So you use a mask, one layer of cheese, keep social distance, another layer of cheese, you get vaccinated, another layer of cheese, etc, etc...

Discarding the, obvious, issue with the unixtime id's and relying solely on other layers of cheese is not a good practice. You should always strive to have as many layers of cheese as you can implement.

Sorry for the cheesy subject, y'all ;)

Cheers,
Gus

PS: You can also add a bit of ham layers and probably make a nice ham & cheese sub? ;-P
Lazarus 3.99(main) FPC 3.3.1(main) Ubuntu 23.10 64b Dark Theme
Lazarus 3.0.0(stable) FPC 3.2.2(stable) Ubuntu 23.10 64b Dark Theme
http://github.com/gcarreno

ASBzone

  • Hero Member
  • *****
  • Posts: 717
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: What archetecture to choose.
« Reply #31 on: March 26, 2021, 04:56:53 am »
I think patientID only needs to be unique. As long as generated patientID is unique, even only using  unix timestamp, it is ok.

No, that is not the only consideration.  It should be more than just unique.  It should essentially be random.  Using sort of sequential or easily enumerated value is bad.

True, you might be okay for a time if *all* other parts of the authentication and authorization code is flawless, but all it takes is one or two weaknesses in some other part of the code, and vulnerabilities can be chained together for exploitable paydays.

Familiarity with OWASP will be helpful for anyone designing systems like this.

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html
-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

zamronypj

  • Full Member
  • ***
  • Posts: 139
    • Fano Framework, Free Pascal web application framework
Re: What archetecture to choose.
« Reply #32 on: March 26, 2021, 05:34:50 am »
Does your bank give you account number using hash value. I dont think so.
« Last Edit: March 26, 2021, 05:36:48 am by zamronypj »
Fano Framework, Free Pascal web application framework https://fanoframework.github.io
Apache module executes Pascal program like scripting language https://zamronypj.github.io/mod_pascal/
Github https://github.com/zamronypj

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 1156
  • Professional amateur ;-P
Re: What archetecture to choose.
« Reply #33 on: March 26, 2021, 11:26:49 am »
Hey zamronypj,

Does your bank give you account number using hash value. I don't think so.

The ID field in a database SHOULD differ from the visible account number.
The ID field in a database SHOULD differ from your visible National Medical Patient ID number, and have an incorporated checksum, hopefully.
The ID field in a database SHOULD differ from you National Card ID number, and have some kind of incorporated checksum like in Portugal.
The visible part SHOULD be detached from the hidden part and that's what I'm referring to.

And getting back to the Swiss cheese model, that means that if you don't transpire an association between a database ID and the visible part, it's gonna be harder to get at the data.

No, it's not 100% secure. But what, in the IT world, is?
Again, getting back to the cheesiness, it's all about layer upon layer with the wholes not aligning!

Cheers,
Gus
Lazarus 3.99(main) FPC 3.3.1(main) Ubuntu 23.10 64b Dark Theme
Lazarus 3.0.0(stable) FPC 3.2.2(stable) Ubuntu 23.10 64b Dark Theme
http://github.com/gcarreno

BSaidus

  • Hero Member
  • *****
  • Posts: 609
  • lazarus 1.8.4 Win8.1 / cross FreeBSD
Re: What archetecture to choose.
« Reply #34 on: March 27, 2021, 12:50:27 pm »
The so difficult problem to this is the uniqueness of the ID ( code )  for patients.
lazarus 1.8.4 Win8.1 / cross FreeBSD
dhukmucmur vernadh!


Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 1156
  • Professional amateur ;-P
Re: What archetecture to choose.
« Reply #36 on: March 27, 2021, 01:17:39 pm »
Hey DonAlfredo,

The mORMot again ... ;-)
https://synopse.info/files/html/api-1.18/SynTable.html#TSYNUNIQUEIDENTIFIERGENERATOR
I will stop about the mORMot now.
 :D

Please don't. mORMot seams to be the exact piece of software to support all the needs, once legal issues are ironed out ;)

Notice that I'm also pressing on the cheese subject :P

Cheers,
Gus
Lazarus 3.99(main) FPC 3.3.1(main) Ubuntu 23.10 64b Dark Theme
Lazarus 3.0.0(stable) FPC 3.2.2(stable) Ubuntu 23.10 64b Dark Theme
http://github.com/gcarreno

DonAlfredo

  • Hero Member
  • *****
  • Posts: 1792
Re: What archetecture to choose.
« Reply #37 on: March 27, 2021, 01:52:57 pm »
Well. A personal view. I will never do database stuff anymore without the mORMot !
A few years ago I was used to do the normal SQL stuff. Coding some logic and GUI in FPC and putting some (business) logic in SQL.

Then came the mORMot. The de-coupling and abstraction makes designing AND maintaining a breeze. However, after a very steep learning curve. The use of DTO's (Data Transfer Objects) is like stepping from assembler to pascal. You get (very safe) REST for free. Its proven on high scale (e.g. https://unitybase.info/). Public (published) and private methods can be exposed. And, most important for me: the SQLite3 (static included, no .dll or .so or .dylib needed) engine will encrypt the local database, so you can use offline databases on local hardware like an Android phone.

However. We are free to make our choices. That is 100% ok. I will throttle the plugging ...  ;)

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 1156
  • Professional amateur ;-P
Re: What archetecture to choose.
« Reply #38 on: March 28, 2021, 05:09:19 am »
Hey DonAlfredo,

After that review I now really need to have a look at mORMot!!

You just wetted my appetite immensely!! THANKS!!

Cheers,
Gus
Lazarus 3.99(main) FPC 3.3.1(main) Ubuntu 23.10 64b Dark Theme
Lazarus 3.0.0(stable) FPC 3.2.2(stable) Ubuntu 23.10 64b Dark Theme
http://github.com/gcarreno

BSaidus

  • Hero Member
  • *****
  • Posts: 609
  • lazarus 1.8.4 Win8.1 / cross FreeBSD
Re: What archetecture to choose.
« Reply #39 on: March 28, 2021, 12:54:36 pm »
Hey DonAlfredo,

After that review I now really need to have a look at mORMot!!

You just wetted my appetite immensely!! THANKS!!

Cheers,
Gus

 ;D  ;D

yes mORMot is wonderfull framework !
lazarus 1.8.4 Win8.1 / cross FreeBSD
dhukmucmur vernadh!

 

TinyPortal © 2005-2018