Securing DHIS2: people, process, and policy today at 15:00 (CEST)

Securing DHIS2: people, process, and policy today at 15:00 (CEST)

The DHIS2 security team will present an update about security practices implemented by the core team, will introduce the new DHIS2 vulnerability management and disclosure policy, and will discuss the roadmap for increased security and privacy support of DHIS2 implementations including software features, best practice guidelines, and automated security tools.

You can post your questions ahead of, during, or after the session. Our speakers will check this thread for questions, and select some for responding to in the session, or follow up after the session has ended. Feel free to respond to other questions or add to them if you have something to follow up with.

Recording of the session can be found here:

Questions during the session (from the zoom chat):

From Piet Jaspers:
The patch releases didn’t bump the version number, was that intentional?

From @bobj:
Piet: I think there might have been a mistake in bumping the version number :frowning:

From Grant Chapman-Clarke:
Have you looked at creating best practice security training for DHIS2 implementers?
And have you also had a look at using PenTesters for the core DHIS2 software to look for vulnerabilities?

From @bobj:
@Grant.ChapmanClarke Grant: yes we hope to work towards a security management academy

get lot of pentests. some we have commissioned ourselves. some have come in from 3rd parties

From @plinnegan:
How many version back do you check and provide patches for when a vulnerability is detected? Just wondering if the vulnerability was present in 2.32 if you would provide a patch for that as well? (Even though it’s out of active support)

From @phil:
@plinnegan It would depend upon things like the nature of the vulnerability and the prevalence of those unsupported version(s) in the field. We do have a mechanism to update unsupported version in such cases.
From @bobj:
Peter: vulnerability patches are often made to quite old versions. But sometimes it can be too much of an effort due to major changes in the software. So we do when we can, but we can only guarantee past 3 versions.

From Claudia Ortiz:
Do you recommend a full time position for security manager ?

From @Grant.ChapmanClarke:
General best practice is to have someone in charge of security - whether its a separate person who is hired or whether someone is given that profile to their job

From Doniam Biague:
Is there a way to know what have been done on DHIS2 system whom have done it (Audit trial)?

From @vikwato:
Been struggling with creating a user manager role. Any guidance?

From @bobj:
so many good questions. Quite hard to answer coherently here in the chat. I’ll try and take a few at the end. Otherwise please do post on the COP to follow up there.