Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm looking for a 'best practice' in the industry for integrating SAP with a .Net application. So far I only need to read data from SAP, there's no need to update.
The most straightforward way I've found is using SAP Connector and call a BAPI. I am using SAP Connector 3.0. But I'm just wondering whether there's better design out there for retrieval of data? The requirement is - to touch SAP as little as possible and able to transfer data in bulk.
Also, if using this design, other than the SAP login info which I can safeguard via standard encryption etc, is there any other security concern?
Thanks.
I've written many SAP RFC applications. I believe that the .Net connector sits on top of their RFC protocol as does the Java connector. In my experience, the best practice depends on who you ask at SAP. They do have a web application server (WebAS I think it is called these days....it was renamed a few times) that can probably host a web service, but it depends on what you have installed. I think many people opt for the .Net or Java connector still. (I prefer the C++ library personally since it is quite fast, but that is only for the extremely foolish ;) )
My information may be dated, but if they have been consistent then the RFC communication layer is not encrypted out of the box. There is a third party plugin that is used on SAP GUI and all RFC type connectors (.Net/JCo) to encrypt the data stream. You have to set it up in the rfc .ini file.
Then there are IDOCs, which I don't think you want to play with. It is a flat file format much like EDI but dumber.
About the security part, if you're using the equivalent of JCO with .Net, you have a user on the SAP backend to connect with.
This user should be of type "Connection" (so that no-one can use it with the SAPGUI), and should have authorizations that are limited to what is needed (so that no program can use it to perform others operations that you did not thought). While the chance that someone manage to get this user/password are low, you don't take chance with productive datas. Also, password should not be a simple one.
This may sound like basic security, but since i just found the exact opposite on a productive system, i prefer to state it.
Regards
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I am from network and OS operations and not from development background. I have some experience in writing Python and PHP code, and have studied software development in college.
As a hobby project (for now), I am planning on building a small website, which will have a component to store PII and sensitive information. I have to give security the first preference, and 2nd to performance (mainly of encryption/decryption).
My target is to have everything encrypted wherever possible, and also to have code which gives as little room as possible (by default) for exploitation. The site will be hosted on linux system.
The whole idea of the project is to learn a language in depth (as much as possible), and I feel I will be much more focused if I pick on some idea that I like. And that idea involves handling PII and other sensitive information. And, if the end product turns out good, then will open it up, hence wanting to make a good choice when choosing the language to write the code in.
I have done some reading, and saw people mentioning that for the backend c/c++ would be good, as it gives good performance and flexibility, but security is not easy. The next best choice would be Ada 2012, as that gives more security than C/C++, and also does not compromise on performance. Java can also provide security, but can be slightly slower. And then Python/Ruby.
I am thinking that Ada 2012 may be a good choice, but I don't want to get into a position wherein I learn it to some extent and then realize that I would have been better off with Python or Java or some other language.
I want to know from the experts answers to these 3 specific questions:
Which language will be ideal to develop this site, so that :
the best available encryption/decryption libraries can be used?
the features of the language can be leveraged to write inherently secure code?
Also, the more performance can be gained, the better?
Please advise. And also, if someone has done website (specially those handling PII) development using Ada, please share your experience.
I know each and every language has advantages and disadvantages, and the intent behind my query is to learn from the experience of those who have spent many years as website developers, and have used multiples languages and frameworks to develop websites handling sensitive data. If the mods think the question can start a good vs bad language war, I apologize as that is not the intent, and I will close the question.
The features of the language can be leveraged to write inherently secure code? Ada's type system supports writing code that validates data before usage. It's a feature of the language that helps with IT-security. But of course there is much more to IT-security than that. Configuring the firewalls, for example using systemd to specify how many processes of an executable is allowed to run simultaneously by the OS, how much memory each process is allowed to allocate, which directories the different applications have access to and permissions, and so on. I am sure there is lots I don't mention nor cover in this short response.
The best available encryption/decryption libraries can be used? The best library to my knowledge for cryptography is the Ada-Crypto-Library: https://github.com/cforler/Ada-Crypto-Library.
But what is asked for is making a safe web application. For encrypting the Secure Socket Layer (https) the Ada-Crypto-Library is not used in any http server implementation that I am aware of. If one wants to develop a web application in Ada there are three options that I see: AWS (Ada Web Server) from AdaCore and that is included in the Community Edition of the GNAT compiler (www.adacore.com), the http server implementation in Dmitry Kazakov's simple components (http://www.dmitry-kazakov.de/ada/components.htm) or GNOGA (www.gnoga.com) that is implemented on top of Dmitry Kazakov's Simple Componenets. Oh wait, Matreshka may also be used but I haven't used it yet so I cannot comment (http://forge.ada-ru.org/matreshka).
According to the documentation of AWS it can be compiled to use either OpenSSL, LibreSSL or GNUTLS (http://docs.adacore.com/live/wave/aws/html/aws_ug/building_aws.html#requirements).
With Simple Components and GNOGA the Secure Socket Layer implementation is provided by GNUTLS.
Another option for providing SSL to a web application is to use the Apache web server as a proxy that handles the encryption (I have never done such a setup, only heard of the existence of this possibility).
Also, the more performance can be gained, the better? I like performance and how to get the best performance is a vast subject. On the whole I think Ada is good programming language choice for those who like performance. Of the top of my head, to maximise performance using Ada one should:
1) When using the standard containers and using the GNAT compiler one may use "pragma Suppress (Tampering_Checks);" to increase the performance of ones application. Not everyone agrees with this view to have one debug build with the tampering checks turned on and then one release build with the checks off since one trades safety for performance, but it has a noticable impact on performance. An alternative to the standard containers one may use the Ada-Trait based containers (https://github.com/AdaCore/ada-traits-containers). They may be the World's most well designed containers for the Ada programming language.
2) Avoid usage of Unbounded_String in the standard library. One may use instead the XString unbounded string implementation in the GNATColl library and may give a 10x performance boost. Also consider allocating ordinary Strings inside memory pools (or subpools) if possible (I've done that in the Xml_Parser application in the repository: https://github.com/joakim-strandberg/wayland_ada_binding)
EDIT: I deliberately avoid arguing whether or not Ada, Java or Python is better and instead focus on, if you would do it in Ada, what would you need to do and consider.
short answer - No,such a system is never possible. PII is less sensitive than a nuclear program.
Long answer --
1. the best available encryption/decryption libraries can be used?
-As your question mentions encryption comes with decryption, the SHA-1 is broken now check alternatives (https://www.forbes.com/sites/forbestechcouncil/2017/04/13/sha-1-encryption-has-been-broken-now-what/#35e33f317ee7) and if you want to dig deep it is not about libraries it is about the algorithm used for the job.Any encryption can be broken sooner or later.
2. The features of the language can be leveraged to write inherently secure code?
There is nothing as secure language or features of language to save you there are few frameworks based on some security princiapls;just follow a set of practices to make code secure.
You follow them you would be safe if you don't there could be trouble and there are around 5000 free tools (unofficial number)that can be run on a website to break it.Are you willing to test your system against so many number of tools ?
3.Also, the more performance can be gained, the better?
-The stronger the encryption and security the more performance you lose always a trade off so choose your treadmill.
Security is a very vague and broad term and everyone gets hacked even the likes of yahoo and Symantec.(https://gizmodo.com/researchers-made-a-clever-tool-to-detect-hacks-companie-1821293404)
still not convinced here is the state of the art -https://en.wikipedia.org/wiki/Stuxnet but even this is 20 years old and just 500-kilobyte of threat.
My 2 cents - As we deal in 0 and 1 please define clear goals in terms of security and performance the make a poc(proof of concept) and run some benchmarks test.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I want to develop an EDI 837 Professional project and I don't understand from where to start. If anybody knows about this & have worked on it then please help me & give me advice where do I start from ?
I guess it depends on what you are trying to do. I am new to this as well and I am trying to generate EDI X12 837 files from a datasource in our system. I have found this open source project to be very helpful. It contains an executable that can transform EDI's to XML. There are also some API's that you can use if you are developing in C#/VB.
Also you can take a look at this article. It provides information about EDI formatting. I found it very helpful in getting started.
If you are interested in a Web API that takes care of your 837P (and other) claims that can easily be integrated into your web based platform, check out https://837-edi.clearehr.com - it is free and eliminates a large amount of development (and costs, and headaches) for those trying to implement EDI insurance claims into their solutions. Over 1,000 payers supported at this point and more are added all the time.
Disclaimer: I am a developer at ClearEHR
The first thing you need is to get the 837 implementation guide. It tells you what data goes into the file and how it should be structured. The publisher of these documents is called wpc-edi.com.
The second thing you need is a good EDI library component that helps you create these files without having to worry about the format and just concentrate on the data. One good one is RDPCrystal.com
One way of doing it is using Microsoft BizTalk Server.Microsoft's BizTalk offers many added features for maintaining and monitoring the solution.
Visit https://learn.microsoft.com/en-us/biztalk/core/edi-support-in-biztalk-server1 for details
EDI or IDOC or X12, best practice in developing complex Integration solutions is to use canonical schemas.
This is a design pattern to decouple systems. Specially when you want this to expose as data contracts on your web services. For your EDI 837 (Patient Info), Canonical schema might contain some additional info that you can reuse later.
EDI Schema -> Canonical Schema (Patient Info) -> Target Schema
There's a good article on how to create canonical schemas. You can find it here.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I am interested in developing a new SQL-based RDS which can generate prototype CRUD-oriented 4GL code which can then be easily customized. So I am looking for opinions, suggestions, etc. in what features should a new RDS have?
I have looked at several products. FileMaker is more or less the type of product I'm looking for, but it's not SQL-based. Informix 4GL and 4Js are what comes closest, but the lead time for customizing/debugging seems to take a long time.
Depends on the market you are aiming for. In your place, my first decision would be whether to link it to a specific RDBMS implementation (which would be Oracle, SQL Server or mySQL) or to try to make it flexible to use amongst any of the major databases. The latter would obviously add massively to the complexity (development, testing, support).
The second would be the OS platform. Something that is specific to Windows (or perhaps Windows Vista/7 upwards) or can be used on Linux, OSX etc. 32bit/64bit would also be a consideration here. I'd need to know that it can run on 64-bit Windows 7 at least.
Thirdly, what do you develop your Rapid Development Tool in. Dot Net would pretty much be Windows only. Java or Python offer more choice.
Fourthly, are you making this as a commercial product, or as open source (or both). Bluntly, if I was looking at buying such a tool to develop my XYZ product in, I'd be looking at long-term support. If the tool doesn't have a five-year pedigree of ongoing support, I'd be very hesitant and would only consider it if it came from a company of the likes of Microsoft/IBM/Oracle/Apple with some serious history in the field. And even then I would be skeptical (search on Microsoft's Oslo/Quadrant/SQL Server Modeling).
I'd also be looking for professional tech writers for the documentation.
See the feature list of Oracle Application Express for some good ideas.
I've used a few of these tools and things that come to my mind are:
1/ automatic joining on foreign keys
2/ keeping columns in the same order as the table in the code
3/ dynamic code generation, no separate code generation stage
4/ undo on table changes
5/ prototyping features to enable actual data to be modelled during development
6/ hide column feature
7/ SQL import for those tricky bits
8/ code locking on tricky bits
9/ version control
10/ segmentation into namespaces
11/ Language templates for easy addition of extra code languages
I think going to an intermediate 4gl first would be good and then a second stage to render code in the language of choice would be good.
I hope this is of some use to you, good luck!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
With all the key value data stores out there I have started to create an abstraction layer so that a developer does not have to be tied in to a particular store. I propose to make libraries for:
Erlang
Ruby
Java
.NET
Does anyone have any tips on how I should go about designing this API?
Thanks
First off, and as a general rule for anytime you build "pluggable" abstraction layer, build it to support at least two real implementations to start. Don't build it for just one datastore and try to make it abstracted, because you'd overlook a details that won't plug into another implementation very well. By forcing it to use two seperate implementations, you'll get closer to something that is actually flexible, but you'll have to make further changes to support a third and fourth data store.
Second, don't bother, these things already exist. Microsoft has provided a ton of these for their technologies (ODBC, ADO, ADO.NET, etc), and I'm sure Ruby/Java/etc has several as well. I understand the desire to encapsulate the already existing technology, but the more data stores you need to support, the more complexity you need to build in, and the closer you'll get to ADO.NET (or similar technologies). Companies like MS have spent a ton of money and research on solving this exact problem, and that is what they came up with.
I would strongly recommend checking out Twitter's Storehaus project - this is a key-value store abstraction layer for the JVM and written in Scala, supporting (to date) Memcache, Redis, DynamoDB, MySQL, HBase, Elasticsearch and Kafka.
Storehaus's core module defines three traits:
A read-only ReadableStore with get, getAll and close
A write-only WritableStore with put, putAll and close
A read-write Store combining both
In the Ruby ecosystem, you should check out moneta, which again provides a unified interface to key/value stores. It has a lot more features than Storehaus.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
As the years go by we get more and more applications. Figuring out if one application is using a feature from another application can be hard. If we change something in application A, will something in application B break?
We have been using MediaWiki for documentation, but it's hard to keep the data up-to-date.
I think what we need is some kind of visual map of everything. And the possibility to create some sort of reference integrity? Any ideas?
I'm in the same boat and still trying to sell my peers on Enterprise Architect, a CASE tool. It's a round trip tool - code to diagrams to code is possible. It's a UML centric too - although it also supports other methods of notation that I'm unfamiliar with...
Here are some things to consider when selecting a tool for documenting designs (be they inter-system communication, or just designing the internals of a single app):
Usability of the tool. That is, how easy is it to not only create, but also maintain the data you're interested in.
Familiarity with the notation.
A. The notation, such as UML, must be one your staff understands. If you try using a UML tool with a few people understanding how to use it properly you will get a big ball of confusion as some people document things incorrectly, and someone who understands what the UML says to implement either spots the error, or goes ahead and implements the erroneously documented item. Conversely more sophisticated notations used by the adept will confound the uninitiated.
B. Documentation isn't/shouldn't be created only for the documenters exclusive use. So those who will be reading the documentation must understand what they're reading. So getting a tool with flexible output options is always a good choice.
Cost. There are far more advanced tools than Enterprise Architect. My reasoning for using this one tool is that due to lack of UML familiarity and high pressure schedules, leaves little room to educate myself or my peers beyond using basic structure diagrams. This tool easily facilitates such a use and is more stable than say StarUML. (I tried both, StarUML died on the reverse engineering of masses of code -- millions of lines) For small projects I found StarUML adequate for home use, up until I got vista installed. Being opensource, it's also free.
With all that said, you will always have to document what uses what, that means maintaining the documentation! That task is one few companies see the value in despite its obvious value to those who get to do it. . .