Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.
Hi Team,
Any insights for the below request would be helpful to get us started around this.
Thanks
On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.
Hi dhis devs,
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
Cross-site scripting attacks
Broken authentication attacks
Injection flaws
malicious code
Thanks
Aamer.
On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.
Aamer:
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
Gregory Wilson, CSSLP
BAO Systems, Inc.
On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi dhis devs,
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
- Cross-site scripting attacks
- Broken authentication attacks
- Injection flaws
- malicious code
Thanks
Aamer.
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.
Greg Wilson
BAO Systems
HI Greg
Thanks for the response.
I reckon when you say the development team you mean the DHIS2 development team. Would it be possible to have a look at the kind of issues reported?
It would also be valuable to understand from the dhis devs how the aspects of security are treated first hand during the course of development.
Regards
Vanya
On Tue, Aug 23, 2016 at 7:03 PM, Greg Wilson gwilson@baosystems.com wrote:
Aamer:
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
Gregory Wilson, CSSLP
BAO Systems, Inc.
–
On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi dhis devs,
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
- Cross-site scripting attacks
- Broken authentication attacks
- Injection flaws
- malicious code
Thanks
Aamer.
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Greg Wilson
BAO Systems
–
On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.
With Regards
ThoughtWorks Technologies
Hyderabad
–Stay Hungry Stay Foolish!!
Vanya:
Yes, I meant the DHIS2 development team.
The only significant new issues that the scanning found relate to XSS, CSRF, and configuration disclosure. None these can be triggered without prior authentication to the system, so the foot print is limited. Also, even the XSS/CSRF results are not exploitable due to how the server returns data. Automated scanners produce quite a lot of noise, but we want to have all the bases covered.
Greg
On Fri, Aug 26, 2016 at 12:57 AM, Vanya Seth vanyas@thoughtworks.com wrote:
HI Greg
Thanks for the response.
I reckon when you say the development team you mean the DHIS2 development team. Would it be possible to have a look at the kind of issues reported?
It would also be valuable to understand from the dhis devs how the aspects of security are treated first hand during the course of development.
Regards
Vanya
–
Greg Wilson
BAO Systems
On Tue, Aug 23, 2016 at 7:03 PM, Greg Wilson gwilson@baosystems.com wrote:
Aamer:
As part of the DATIM work, BAO is performing IBM AppScan vulnerability assessment and confirmation. The results of these assessments will be passed onto the development team for remediation. Due to the sensitive nature of security vulnerabilities, we will follow standard, responsible best practices regarding public disclosure. If critical, non-credentialed, remote vulnerabilities are discovered we will attempt to provide work-a-rounds until the devs can publish a remediated DHIS2 version.
This scanning will only involve DHIS2 core and apps that DATIM uses. We are currently scanning v2.21 but will be jumping to 2.23 very soon. This will be an ongoing, regular process. If you have any questions feel free to contact me any time.
Gregory Wilson, CSSLP
BAO Systems, Inc.
With Regards
ThoughtWorks Technologies
Hyderabad
–Stay Hungry Stay Foolish!!
–
On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi dhis devs,
We are looking for testing the application in areas which focus on “CIA triad” (Confidentiality, Integrity, Availability) of DHIS users and resources. Just wanted to check from DHIS devs if any kind of methodologies are already inplace for testing the code for below vulnerabilities.
- Cross-site scripting attacks
- Broken authentication attacks
- Injection flaws
- malicious code
Thanks
Aamer.
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Greg Wilson
BAO Systems
–
On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed aamerm@thoughtworks.com wrote:
Hi Team,
We are now beginning to look at application security of DHIS 2. We want to understand if there is already any security testing in place for DHIS and any guidelines around it. This will be helpful in security testing the features which we have already contributed and the ones which we are planning to.
It would be helpful if you get us started around this.
Thanks
Aamer.