CERTIFICATION PROCEDURE/ minutes of the meeting with resource persons from Department of IT, Min of IT.

Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com

You Live by CHOICE, Not by CHANCE

2009/7/1 Sundeep Sahay sundeep.sahay@yahoo.com

I am going through the process in India right now.

— On Tue, 6/30/09, Johan Saebo saeboj@who.int wrote:

From: Johan Saebo saeboj@who.int
Subject: Fwd: CERTIFICATION PROCEDURE/ minutes of the meeting with resource persons from Department of IT, Min of IT.

To: “Saptarshi Purkayastha” sunbiz@gmail.com
Cc: “Sundeep Sahay” sundeep.sahay@yahoo.com, “Jørn Braa” jornbraa@gmail.com, “Ola Hodne Titlestad” olati@student.matnat.uio.no, “Lars Helge Øverland” larshelge@gmail.com, “Vincent Shaw” vpshaw@gmail.com, “Angela Self” aself@intrahealth.org, “Luke Duncan” lduncan@intrahealth.org, “Shannon TurlingtonIH” shannon.turlington@gmail.com, “John” johnlewis.hisp@gmail.com, jyotsnahisp@gmail.com, “bharath” chbharathk@gmail.com, “Knut Staring” knutst@ifi.uio.no

Date: Tuesday, June 30, 2009, 10:04 AM

Hi all,

just got this mail from Ola. I have previously been in touch with Jyotsna regarding testing and certifying DHIS, as HMN is looking to increase the quality of the tools we are using (including DHIS2). She had in mind this government department, and HMN would be willing to invest in such an audit, if it is done on a general SW release that will be available for other countries. However, where can I find information about the competency of this unit? What other SW have they audited? I understand the price would be determined from a questionaire, but would someone have an estimate?

Regards,
Johan

Ola Hodne Titlestad |Technical Officer|
Health Metrics Network (HMN) | World Health Organization
Avenue Appia 20 |1211 Geneva 27, Switzerland | Email: titlestado@who.int|Tel: +41 788216897

Website: www.healthmetricsnetwork.org

Better Information. Better Decisions. Better Health.

---------- Forwarded message ----------
From: Bob Jolliffe <bobjolliffe@gmail.com>

Date: 2009/6/23
Subject: Re: CERTIFICATION PROCEDURE/ minutes of the meeting with resource persons from Department of IT, Min of IT.
To: Saptarshi Purkayastha <sunbiz@gmail.com>

Cc: Sundeep Sahay <sundeep.sahay@yahoo.com>, Jørn Braa <jornbraa@gmail.com>, Ola Hodne Titlestad <olati@student.matnat.uio.no>, Lars Helge Øverland <larshelge@gmail.com>, Vincent Shaw <vpshaw@gmail.com>, Angela Self <aself@intrahealth.org>, Luke Duncan <lduncan@intrahealth.org>, Shannon TurlingtonIH <shannon.turlington@gmail.com>, John <johnlewis.hisp@gmail.com>, jyotsnahisp@gmail.com, bharath <chbharathk@gmail.com>, Knut Staring <knutst@ifi.uio.no>

Hi Saptarshi

Agreed that we would probably not “pass” a security audit and that a
constructive report would be useful. Though I hope you are confident
that this would be the outcome. It sounds a bit odd that we are

telling them that we are aware of a number of security flaws in xwork
and that we would like them to point these out to us. We really want
them to point out what we don’t know. I would suggest we do request a

security audit report, but that we don’t try to lead them on it.

My guess is these guys will look at all the library dependencies and
cite the appropriate security advisories where they exist. Of course

we could also do this but I agree its useful to get a detached
perspective. I’ve attached the latest list of library dependencies
for what it is worth, but I guess the only list which is relevant is
the particular snapshot which is being tested. It might be worthwhile
noting that Lars suggested aiming at v2.0.2 which will involve some
significant refactoring and migrating from some of the more obsolete

libraries - including, crucially, the whole webwork/xwork 1.x
framework. Are we going to wait for that, or is the idea to get in
quickly with what we have? There are some merits to both approaches.

There is also the attached HISP India security policy statement which

I guess is more about the organisation than the software, but perhaps
it provides good context. Presumably hISP India is not getting
certified …

What are the user acceptance test sheets? They sound useful.

Regards
Bob

2009/6/23 Saptarshi Purkayastha <sunbiz@gmail.com>:

Hi Sundeep,

The idea of getting a formal certificate from the Ministry of IT is an
excellent one and it can help stabilize our work greatly. I believe there
are many places where we will fail a security audit, but security audits are

for iterations to improve security and the process will surely help.
Please find the attached Technical Architecture which I’ve copied from our
launchpad repository.
Along with the request for certification, I believe we should concentrate on

them pointing out the following:
1.) A report on different Form Validation problems
2.) XSS, XHR,and SQL Injection vulnerabilities accessible through xwork.
3.) Usability issues and a report on how these can be improved.

We can also share the user acceptance test sheet, which lists use-case for
most modules and expected result on actions when the testing begins. This
will help them speed up things and may be a gesture of interest from our
side.

Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com
You Live by CHOICE, Not by CHANCE

2009/6/18 Knut Staring <knutst@ifi.uio.no>

Hello Sundeep,
Happy to see this moving forward. There is technical documentation
available here:
http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/files/head:/docs/

Best,
Knut

On Thu, Jun 18, 2009 at 10:27 AM, Sundeep Sahay <sundeep.sahay@yahoo.com> > > > > > > >> wrote:

I had discussed today with a group in the Ministry of IT (SQTC) about
testing and certification of DHIS 2. There are two kinds of tests:

1. Software testing for usability, performance and reliability

2. Software audit certification (CEERT)

For 1, which may be a little longer process, we need to provide the
following:

A formal request letter

Software specification and User Manual (i.e. Documentation of the
Software)
State wise customization ( optional)
clearly mentioning what services we want from the said office.

I can do the letter, and we have the user manual. But we need a detailed

technical specification document for the dhis2. Lars, Knut, Ola - from where
can i get a latest version of this. please can you send to me.

For software audit certification - we have to give them the URL, then

they will send us a questionnaire, which we have to fill and send back, then
they come back with a cost and time estimate. This certiification is based
on NIC criteria, and I am in the process of talking to them to find out more

details.
Any advise on the above of how to proceed with this will be welcome.

Sundeep

–
Cheers,
Knut Staring