I cant see any CVE in launchpad. Has someone removed it?? Or has no one reported any till now??
If none have been reported till date, then I suggest we organize a Security-a-thon quickly and then probably a Test-a-thon to improve our test coverage. I think new features should wait for a while, until we get the house in order…
cc’ing this to the dev list so that all interested in a 2-3 day security-a-thon should let their thoughts known…
···
Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Thanks Lars - I eventually figured that out as well.
Regarding security I think we can say the following:
DHIS2 is a free software project and all the source code is subject to peer review by the the global Hisp team of developers, implementors and partners. As with other large software projects, security vulnerabilities, including those from the OWASP Top Ten are occasionally reported. All known security flaws are reported as bugs on https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and transparently.
(if anybody has time to sift through and pick up on any security related bugs which have been fixed as examples it would reinforce the point).
I am not sure if there is any point going through the 10 categories now and pointing out where DHIS might be lacking. It is an exercise of conjecture. If you can rather focus on the processes by which vulnerabilities are reported and addressed, I think it is more valid. The main vulnerabilities you are accountable for are the ones which are reported.
In addition HISP India operates within the constraints of a high level security policy.
There’s quite a bit of stuff I did with Satvik around process. I’ll look back - in particular there was some notes about secure installation guidelines which might be useful. Addresses some of ther issues around secure storage, imsecure configuration etc. Will try and drag it up.
Then I must go and cast my vote regarding the Lisbon Treaty for Europe. I’m thinking I will vote against it …
Hi I am a bit confused what is happening here between Saptarshi’s mail and yours. As Lars says i am sure the HISP India team is available to address most things. In fact much of the functionality is specific to India anyway so it is only you who can describe.
Regarding the “top 10 vulnerabilities listed on OWASP” : where are they? Saptarshi is it worth looking at them now at this late stage? Obviously if there are vulnerabilities we may not address them today but we can have an audit process to see that they are addressed. Whatever happened to Satvik … Anyway please send me a reference to them and I’ll see if there is anything to be done.
I see launchpad supports CVE framework but I haven’t yet figured out how to link bugs to particular CVE. Anyway mostly these will refer to security vulnerabilities in the many libraries which we use.
It seems we have not set up any way of tagging security related bugs at all. As an interrim I have created a “security” tag which we should use when there are reported bugs with security implications. When we report a bug we might adopt the convention that at the bottom of each and every bug report we add a section:
Security Implications: None.
Where these implications are not “None” we also tag the bug with the security flag.
I am sure that many of our existing bugs should be tagged thus. There are 181 reported bugs currently (obviously many fixed). Maybe we should divide up the bug space and run through a set each - adding the Security Implications in each case.
Would be great if we could create a template for bug reports. Has anyone any idea how this might be done?
I am not sure if I can really stop what I am doing completely - I’m already battling with targets. But I’m happy to help out.
We also need to appoint a security czar to coordinate and monitor and crack the whip when necessary. Any volunteers/nominations? I’m thinking you are emerging as the party with the most immediate interest.
Also its worth noting that besides getting more serious about security within DHIS2 code base (which I fully support) I think the most serious vulnerabilities have resulted more from poor implementation practice, the lack of secure deployment guidelines and the lack of security policy guidelines for implementing agencies.
I cant see any CVE in launchpad. Has someone removed it?? Or has no one reported any till now??
If none have been reported till date, then I suggest we organize a Security-a-thon quickly and then probably a Test-a-thon to improve our test coverage. I think new features should wait for a while, until we get the house in order…
cc’ing this to the dev list so that all interested in a 2-3 day security-a-thon should let their thoughts known…
Thanks Lars - I eventually figured that out as well.
Regarding security I think we can say the following:
DHIS2 is a free software project and all the source code is subject to peer review by the the global Hisp team of developers, implementors and partners. As with other large software projects, security vulnerabilities, including those from the OWASP Top Ten are occasionally reported. All known security flaws are reported as bugs on https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and transparently.
(if anybody has time to sift through and pick up on any security related bugs which have been fixed as examples it would reinforce the point).
I am not sure if there is any point going through the 10 categories now and pointing out where DHIS might be lacking. It is an exercise of conjecture. If you can rather focus on the processes by which vulnerabilities are reported and addressed, I think it is more valid. The main vulnerabilities you are accountable for are the ones which are reported.
In addition HISP India operates within the constraints of a high level security policy.
There’s quite a bit of stuff I did with Satvik around process. I’ll look back - in particular there was some notes about secure installation guidelines which might be useful. Addresses some of ther issues around secure storage, imsecure configuration etc. Will try and drag it up.
Then I must go and cast my vote regarding the Lisbon Treaty for Europe. I’m thinking I will vote against it …
Hi I am a bit confused what is happening here between Saptarshi’s mail and yours. As Lars says i am sure the HISP India team is available to address most things. In fact much of the functionality is specific to India anyway so it is only you who can describe.
Regarding the “top 10 vulnerabilities listed on OWASP” : where are they? Saptarshi is it worth looking at them now at this late stage? Obviously if there are vulnerabilities we may not address them today but we can have an audit process to see that they are addressed. Whatever happened to Satvik … Anyway please send me a reference to them and I’ll see if there is anything to be done.
There is way to file security related bugs in launchpad by default, by checking:
The maintainer of DHIS, DHIS 2 coordinators, will be notified.
These will be part of the CVE reports in launchpad… With that being there in launchpad, I asked the question why no one has check marked that… or were those deleted??
Which brings me back to the question… Do we want to organize a few focused days filing and fixing the security related bugs (secure-a-thon) and unit tests (test-a-thon) to beat these security-related issues??
···
Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme
I see launchpad supports CVE framework but I haven’t yet figured out how to link bugs to particular CVE. Anyway mostly these will refer to security vulnerabilities in the many libraries which we use.
It seems we have not set up any way of tagging security related bugs at all. As an interrim I have created a “security” tag which we should use when there are reported bugs with security implications. When we report a bug we might adopt the convention that at the bottom of each and every bug report we add a section:
Security Implications: None.
Where these implications are not “None” we also tag the bug with the security flag.
I am sure that many of our existing bugs should be tagged thus. There are 181 reported bugs currently (obviously many fixed). Maybe we should divide up the bug space and run through a set each - adding the Security Implications in each case.
Would be great if we could create a template for bug reports. Has anyone any idea how this might be done?
I am not sure if I can really stop what I am doing completely - I’m already battling with targets. But I’m happy to help out.
We also need to appoint a security czar to coordinate and monitor and crack the whip when necessary. Any volunteers/nominations? I’m thinking you are emerging as the party with the most immediate interest.
Also its worth noting that besides getting more serious about security within DHIS2 code base (which I fully support) I think the most serious vulnerabilities have resulted more from poor implementation practice, the lack of secure deployment guidelines and the lack of security policy guidelines for implementing agencies.
I cant see any CVE in launchpad. Has someone removed it?? Or has no one reported any till now??
If none have been reported till date, then I suggest we organize a Security-a-thon quickly and then probably a Test-a-thon to improve our test coverage. I think new features should wait for a while, until we get the house in order…
cc’ing this to the dev list so that all interested in a 2-3 day security-a-thon should let their thoughts known…
Thanks Lars - I eventually figured that out as well.
Regarding security I think we can say the following:
DHIS2 is a free software project and all the source code is subject to peer review by the the global Hisp team of developers, implementors and partners. As with other large software projects, security vulnerabilities, including those from the OWASP Top Ten are occasionally reported. All known security flaws are reported as bugs on https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and transparently.
(if anybody has time to sift through and pick up on any security related bugs which have been fixed as examples it would reinforce the point).
I am not sure if there is any point going through the 10 categories now and pointing out where DHIS might be lacking. It is an exercise of conjecture. If you can rather focus on the processes by which vulnerabilities are reported and addressed, I think it is more valid. The main vulnerabilities you are accountable for are the ones which are reported.
In addition HISP India operates within the constraints of a high level security policy.
There’s quite a bit of stuff I did with Satvik around process. I’ll look back - in particular there was some notes about secure installation guidelines which might be useful. Addresses some of ther issues around secure storage, imsecure configuration etc. Will try and drag it up.
Then I must go and cast my vote regarding the Lisbon Treaty for Europe. I’m thinking I will vote against it …
Hi I am a bit confused what is happening here between Saptarshi’s mail and yours. As Lars says i am sure the HISP India team is available to address most things. In fact much of the functionality is specific to India anyway so it is only you who can describe.
Regarding the “top 10 vulnerabilities listed on OWASP” : where are they? Saptarshi is it worth looking at them now at this late stage? Obviously if there are vulnerabilities we may not address them today but we can have an audit process to see that they are addressed. Whatever happened to Satvik … Anyway please send me a reference to them and I’ll see if there is anything to be done.
These will be part of the CVE reports in launchpad… With that being there in launchpad, I asked the question why no one has check marked that… or were those deleted??
Which brings me back to the question… Do we want to organize a few focused days filing and fixing the security related bugs (secure-a-thon) and unit tests (test-a-thon) to beat these security-related issues??
Hi Saptarshi,
this is a good initiative and if you could take the lead on this it would be great. I will add you to the dhis2 coordinators group so that you will get the notifications. I will be working myself with lectures and the community/patient system this week, but again, you will obviously be focussing much on the Indian functionality so it’s better that the Indian team carry this out. If you find bugs related to the core I will be happy to help out with fixing them.
There is way to file security related bugs in launchpad by default, by checking:
The maintainer of DHIS, DHIS 2 coordinators, will be notified.
Yes you are right. No need for the extra tag.
These will be part of the CVE reports in launchpad… With that being there in launchpad, I asked the question why no one has check marked that… or were those deleted??
I don’t think any have been deleted. Hard to be sure without exporting the bug database somehow. But when searching for all bugs associated with a cve we draw a blank. Which seems to suggest that nobody has reported any security related bugs - or at least checked the box.
I thought you had reported something regarding client side/ server side validation but I can’t find it. Maybe it was just on mail
Which brings me back to the question… Do we want to organize a few focused days filing and fixing the security related bugs (secure-a-thon) and unit tests (test-a-thon) to beat these security-related issues??
I think its a good idea but we need some security related issues to fix. Do you want to report some to get the ball rolling?
I see launchpad supports CVE framework but I haven’t yet figured out how to link bugs to particular CVE. Anyway mostly these will refer to security vulnerabilities in the many libraries which we use.
It seems we have not set up any way of tagging security related bugs at all. As an interrim I have created a “security” tag which we should use when there are reported bugs with security implications. When we report a bug we might adopt the convention that at the bottom of each and every bug report we add a section:
Security Implications: None.
Where these implications are not “None” we also tag the bug with the security flag.
I am sure that many of our existing bugs should be tagged thus. There are 181 reported bugs currently (obviously many fixed). Maybe we should divide up the bug space and run through a set each - adding the Security Implications in each case.
Would be great if we could create a template for bug reports. Has anyone any idea how this might be done?
I am not sure if I can really stop what I am doing completely - I’m already battling with targets. But I’m happy to help out.
We also need to appoint a security czar to coordinate and monitor and crack the whip when necessary. Any volunteers/nominations? I’m thinking you are emerging as the party with the most immediate interest.
Also its worth noting that besides getting more serious about security within DHIS2 code base (which I fully support) I think the most serious vulnerabilities have resulted more from poor implementation practice, the lack of secure deployment guidelines and the lack of security policy guidelines for implementing agencies.
I cant see any CVE in launchpad. Has someone removed it?? Or has no one reported any till now??
If none have been reported till date, then I suggest we organize a Security-a-thon quickly and then probably a Test-a-thon to improve our test coverage. I think new features should wait for a while, until we get the house in order…
cc’ing this to the dev list so that all interested in a 2-3 day security-a-thon should let their thoughts known…
Thanks Lars - I eventually figured that out as well.
Regarding security I think we can say the following:
DHIS2 is a free software project and all the source code is subject to peer review by the the global Hisp team of developers, implementors and partners. As with other large software projects, security vulnerabilities, including those from the OWASP Top Ten are occasionally reported. All known security flaws are reported as bugs on https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and transparently.
(if anybody has time to sift through and pick up on any security related bugs which have been fixed as examples it would reinforce the point).
I am not sure if there is any point going through the 10 categories now and pointing out where DHIS might be lacking. It is an exercise of conjecture. If you can rather focus on the processes by which vulnerabilities are reported and addressed, I think it is more valid. The main vulnerabilities you are accountable for are the ones which are reported.
In addition HISP India operates within the constraints of a high level security policy.
There’s quite a bit of stuff I did with Satvik around process. I’ll look back - in particular there was some notes about secure installation guidelines which might be useful. Addresses some of ther issues around secure storage, imsecure configuration etc. Will try and drag it up.
Then I must go and cast my vote regarding the Lisbon Treaty for Europe. I’m thinking I will vote against it …
Hi I am a bit confused what is happening here between Saptarshi’s mail and yours. As Lars says i am sure the HISP India team is available to address most things. In fact much of the functionality is specific to India anyway so it is only you who can describe.
Regarding the “top 10 vulnerabilities listed on OWASP” : where are they? Saptarshi is it worth looking at them now at this late stage? Obviously if there are vulnerabilities we may not address them today but we can have an audit process to see that they are addressed. Whatever happened to Satvik … Anyway please send me a reference to them and I’ll see if there is anything to be done.
