A Security Assessment of DHIS2 using OWASP’s Application Security Verification Standard

This is a short summary of the research work that I carried out as part of my Master’s degree program at the University of Oslo. I look forward to any comments or questions from the DHIS2 community.

The subject of my research was the security assessment of DHIS2 using OWASP’s Application Security Verification Standard (ASVS), a requirements checklist for application security. To be more precise, my research had two goals. The first was to see how DHIS2’s security solutions compare against ASVS. The second was to document the process and reflect on the experience. Also, a systematic audit of DHSI2 had also not be done before. This was an opportunity to contribute to the DHIS2 project in a new and interesting way.

Several people who work within HISP participated in the study, all with different roles and areas of expertise within the company. In individual sessions, each participant would select the ASVS controls that apply to DHIS2 and then score them as either pass or fail. The result is a combined list that shows DHIS2’s coverage against ASVS. The full details of this assessment will be made public with the publication of my thesis. It is important to stress that the findings reflect DHIS2 as it was in late 2019. The assessment uncovered areas of improvement, but many of these issues have since been addressed, with more improvements on the way.

The other half of the project was the process. This is a master thesis project, and that comes with limitations as to what you can accomplish and how much attention you are given. My experiences are likely to differ from others. The assessment sessions did not take much time, but the assessment is also inconclusive to a degree. Many controls were skipped due to a lack of participants, and on many occasions, the participants gave conflicting answers. To do a «good» and thorough assessment, a larger commitment is required on behalf of the organization and its employees. In particular, it is important to consult with multiple people, or simply people with relevant expertise. Where one individual lacks particular expertise or knowledge, another can fill that void, or provide a point of view that others had not possibly considered, be it the opinion of a developer or that of someone who works with implementation. Giving recommendations to anyone doing a similar task is difficult. A lot depends on the organization, the people. My process is one among many. Groups sessions would be ideal, but that might be difficult to accomplish due to people’s schedules, and possibly troublesome if the discussions on each control take too long.

A question that persisted throughout the entire process was whether the exercise was useful to the participants. Ideally, the exercise should raise awareness of the issues. Areas of improvement were uncovered, yes, many of them important, but did that carry over when the sessions ended? The assessment uncovered processes that were not in place, but it also showed me a team that has a good overview of what the existing issues are and which of them need to be addressed. When faced with the decision between addressing a potential security feature that none had raised concern about til now, or implementing a much-requested feature by the community, I would imagine a developer would choose the latter. To expect a single developer — who is not a security expert — to be the main driver for security is perhaps unrealistic. In my view, to ensure that all the benefits of an assessment are realized, the project has to come from the top, and there must be pressure from the management to see it done and followed upon. The assessment is just one step of many towards building secure applications.

These subjects and others are explored in full in my thesis.

2 Likes

Glad to see this kind of work in the dhis2 development community.
When will you publish some intermediate results or link to issues (at least the resolved one) ?

The thesis will be published in a month or two - I will link it here then.

The data that I have is not linked to specific issues that I can link to on this board. It’s a list of approx. 300 security requirements in which DHIS2 either passes or fails. I could publish that data, but I’d need to consider how to present it.

1 Like