We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
The only significant new issues that the scanning found relate to XSS, CSRF, and configuration disclosure. None these can be triggered without prior authentication to the system, so the foot print is limited. Also, even the XSS/CSRF results are not exploitable due to how the server returns data. Automated scanners produce quite a lot of noise, but we want to have all the bases covered.
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.