Author Topic: Cyber Security - Macro Signing (Read 8617 times)

Sunshine · « **on:** August 11, 2021, 08:06:00 am »

With the recent cyber security attacks our good security folk are about to enforce a policy that ensures no macros can run unless signed. We use a mix of VBScript, JScript and JavaScript Macros in Sparx EA and was wondering if anyone has any experiences to share in this space. Microsoft provide instructions on signing macros in MS office but not sure how this new policy will affect Macros in Sparx EA. I imagine the VBScript and JScript are likely to stop working not sure about the Mozilla Spidermonkey 63 engine. Did a quick search about signing macros in Sparx EA but nothing useful came out of the results. Sent in a support request to Sparx Systems just now but thought I'd reach out and see if anyone has anything to share on the topic.

Sunshine · « **Reply #1 on:** August 18, 2021, 07:30:39 am »

Well after a week I've had no response from community and uncharacteristically Sparx Systems "Priority Support" has been quite too. Guess we are going to be bush whacking on the topic.

Eve · « **Reply #2 on:** August 19, 2021, 01:45:07 pm »

There's nothing in EA to sign any scripts or test any signatures on scripts.

I can't speak to anything built-in to any of the scripting engines.

qwerty · « **Reply #3 on:** August 19, 2021, 05:47:59 pm »

I thought that Geert would hop on, but he'd been on holiday as everyone it seems. I'd guess that you can modify his add-on for script execution to include some SHA checking or the like. That however would not prevent users from performing scipts the "normal EA way" so you would need some security setting - which in turn is no security, to be honest.

q.

Geert Bellekens · « **Reply #4 on:** August 19, 2021, 06:17:55 pm »

I got back from holiday this week.

But as Eve indicated, there nothing you can do for Sparx scripts.
But I'm not sure whether the new security measures will have any effect on the execution of the scripts within EA.

You might want to send in a feature request to Sparx to allow for such singing. I can see the use in only allowing to run "approved" scripts, seeing as how easy it to to wreak havoc if you combine the power of scripts with an inexperienced user.

Geert

qwerty · « **Reply #5 on:** August 19, 2021, 06:45:02 pm »

I think for the DAU (dumbest assumable user) the EA security is sufficient (as I called it: accidential deletion prevention). For any ill minded EA is open like a book. Just get TOAD or any other freeware and your model goes ablast faster than you can say boom.

q.

Sparx Systems Forum

News: