Contents
Cybersecurity
With SeqSphere+ version 10.5 we did (with fixing of several issues; all were non-critical) and will do proactive vulnerability assessments in preparation for the EU Cyber Resilience Act. Systematic threat modeling and white-box penetration tests will follow within the next 1-2 years. Critical updates will be communicated to all registered users via email, via our home-page, and within the software. With respect to cybersecurity the following topics next to required ports (see below) might be of interest:
- The password policy can be defined for the user accounts by the admin (by default no policy is set).
- The access logging can be enabled, that logs user logins, sample retrieval, storage, and deletion (by default it is disabled).
- The sample audit trail logs each modification for a sample, together with user login name and timestamp. The audit trail is always enabled. It is lost when the sample is deleted.
- The default database schemes does not contain database fields that might be critical for patient anonymity. By default all users that can edit project samples can add such fields. However, the user roles can be used to disallow users creating new fields (e.g., for patient data).
Ports and Services
The communication between SeqSphere+ Client and SeqSphere+ Server runs on port 8064 (port can be changed). The server and client are communicating via https using a self-signed certificate that is created when the server is started for the first time (SHA-256 with RSA encrypting, 2048 bit).
For some (optional) functions the SeqSphere+ Client needs an Internet connection. The following hosts are connected:
Upload
| Function | Host | Protocol, Port |
|---|---|---|
| Upload/download for SeqSphere+ license activation, alternatively activation by email possible |
act.ridom.de | https, 443 |
| Upload of alleles and optional metadata for cgMLST.org submissions and download of task templates |
nomenclature.seqsphere.de | https, 443 |
| Upload of spa-types and optional metadata for S. aureus spa-typing and download of spa-types |
spa.ridom.de | https, 443 |
| Upload of contigs for SARS-CoV-2 PANGO lineage typing The server does not store any result or sequence data |
tools.ridom.de | https, 443 |
| Upload of meta data for EBI ENA submission | www.ebi.ac.uk | https, 443 |
| Upload of read data for EBI ENA submission (via FTP or Aspera) | webin.ebi.ac.uk | ftp, 21 or TCP/UDP, 33001 |
Download
| Function | Host(s) | Protocol, Port |
|---|---|---|
| Download of SeqSphere+ software updates, index files for NCBI Genome Browser, and PubMLST.org MLST schemes |
www.ridom.de | https, 443 |
| Download of genomes from NCBI Genome | www.ncbi.nlm.nih.gov | https, 443 |
| Download of read data from NCBI SRA | trace.ncbi.nlm.nih.gov, sra-pub-run-odp.s3.amazonaws.com | https, 443 |
| Download of MLST schemes from PubMLST.org | pubmlst.org, rest.pubmlst.org | https, 443 |
| Geocoding with GeoNames | www.geonames.org | http, 80 |
Additional Download required only for Linux
| Function | Host(s) | Protocol, Port |
|---|---|---|
| Download of MOB-Suite database on Linux | zenodo.org | https, 443 |
The SeqSphere+ Server does not require any Internet connection.
Submission to cgMLST.org
The cgMLST.org Nomenclature Server (www.cgMLST.org) provides a global nomenclature for stable public cgMLST schemes, i.e. for Task Templates that were downloaded from the Task Template Sphere. If Samples are using those downloaded Task Templates they can be submitted to cgMLST.org.
If no submission of any data is wanted or allowed, then only local Task Templates must be used. Samples that are using only local Task Templates will not and cannot be submitted to cgMLST.org. Local Task Templates can be defined using the cgMLST Target Definer, or by converting public Task Templates into local ones.
Remote Access
By installing SeqSphere+, Ridom has by no means remote access to the user's local computer or SeqSphere+ database. Remote access for training and support is usually done with Microsoft Teams.