dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #01506
Re: Fwd: CERTIFICATION PROCEDURE/ minutes of the meeting with resource persons from Department of IT, Min of IT.
Going through the discussion we have been having on the list and outside,
the Ministry of IT in India's STQC requires a SRS to be given...
I am sure someone in the initial days of DHIS2 development must have made a
SRS somewhere... Can everyone look through their archives and pass any SRS
docs for DHIS2. We can update that document and go ahead with the testing
asap.
---
Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme
My Tech Blog: http://sunnytalkstech.blogspot.com
You Live by CHOICE, Not by CHANCE
2009/7/1 Sundeep Sahay <sundeep.sahay@xxxxxxxxx>
> I am going through the process in India right now.
>
> --- On *Tue, 6/30/09, Johan Saebo <saeboj@xxxxxxx>* wrote:
>
>
> From: Johan Saebo <saeboj@xxxxxxx>
> Subject: Fwd: CERTIFICATION PROCEDURE/ minutes of the meeting with resource
> persons from Department of IT, Min of IT.
> To: "Saptarshi Purkayastha" <sunbiz@xxxxxxxxx>
> Cc: "Sundeep Sahay" <sundeep.sahay@xxxxxxxxx>, "Jørn Braa" <
> jornbraa@xxxxxxxxx>, "Ola Hodne Titlestad" <olati@xxxxxxxxxxxxxxxxxxxxx>,
> "Lars Helge Øverland" <larshelge@xxxxxxxxx>, "Vincent Shaw" <
> vpshaw@xxxxxxxxx>, "Angela Self" <aself@xxxxxxxxxxxxxxx>, "Luke Duncan" <
> lduncan@xxxxxxxxxxxxxxx>, "Shannon TurlingtonIH" <
> shannon.turlington@xxxxxxxxx>, "John" <johnlewis.hisp@xxxxxxxxx>,
> jyotsnahisp@xxxxxxxxx, "bharath" <chbharathk@xxxxxxxxx>, "Knut Staring" <
> knutst@xxxxxxxxxx>
> Date: Tuesday, June 30, 2009, 10:04 AM
>
>
>
> Hi all,
>
> just got this mail from Ola. I have previously been in touch with Jyotsna
> regarding testing and certifying DHIS, as HMN is looking to increase the
> quality of the tools we are using (including DHIS2). She had in mind this
> government department, and HMN would be willing to invest in such an audit,
> if it is done on a general SW release that will be available for other
> countries. However, where can I find information about the competency of
> this unit? What other SW have they audited? I understand the price would be
> determined from a questionaire, but would someone have an estimate?
>
> Regards,
> Johan
>
>
>
> Ola Hodne Titlestad |Technical Officer|
> Health Metrics Network (HMN) | World Health Organization
> Avenue Appia 20 |1211 Geneva 27, Switzerland | Email: titlestado@xxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=titlestado@xxxxxxx>|Tel:
> +41 788216897
> Website: www.healthmetricsnetwork.org
>
> Better Information. Better Decisions. Better Health.
>
>
> ---------- Forwarded message ----------
> From: Bob Jolliffe <bobjolliffe@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=bobjolliffe@xxxxxxxxx>
> >
> Date: 2009/6/23
> Subject: Re: CERTIFICATION PROCEDURE/ minutes of the meeting with resource
> persons from Department of IT, Min of IT.
> To: Saptarshi Purkayastha <sunbiz@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=sunbiz@xxxxxxxxx>
> >
> Cc: Sundeep Sahay <sundeep.sahay@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=sundeep.sahay@xxxxxxxxx>>,
> Jørn Braa <jornbraa@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=jornbraa@xxxxxxxxx>>,
> Ola Hodne Titlestad <olati@xxxxxxxxxxxxxxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=olati@xxxxxxxxxxxxxxxxxxxxx>>,
> Lars Helge Øverland <larshelge@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=larshelge@xxxxxxxxx>>,
> Vincent Shaw <vpshaw@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=vpshaw@xxxxxxxxx>>,
> Angela Self <aself@xxxxxxxxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=aself@xxxxxxxxxxxxxxx>>,
> Luke Duncan <lduncan@xxxxxxxxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=lduncan@xxxxxxxxxxxxxxx>>,
> Shannon TurlingtonIH <shannon.turlington@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=shannon.turlington@xxxxxxxxx>>,
> John <johnlewis.hisp@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=johnlewis.hisp@xxxxxxxxx>>,
> jyotsnahisp@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=jyotsnahisp@xxxxxxxxx>,
> bharath <chbharathk@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=chbharathk@xxxxxxxxx>>,
> Knut Staring <knutst@xxxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=knutst@xxxxxxxxxx>
> >
>
>
> Hi Saptarshi
>
> Agreed that we would probably not "pass" a security audit and that a
> constructive report would be useful. Though I hope you are confident
> that this would be the outcome. It sounds a bit odd that we are
> telling them that we are aware of a number of security flaws in xwork
> and that we would like them to point these out to us. We really want
> them to point out what we don't know. I would suggest we do request a
> security audit report, but that we don't try to lead them on it.
>
> My guess is these guys will look at all the library dependencies and
> cite the appropriate security advisories where they exist. Of course
> we could also do this but I agree its useful to get a detached
> perspective. I've attached the latest list of library dependencies
> for what it is worth, but I guess the only list which is relevant is
> the particular snapshot which is being tested. It might be worthwhile
> noting that Lars suggested aiming at v2.0.2 which will involve some
> significant refactoring and migrating from some of the more obsolete
> libraries - including, crucially, the whole webwork/xwork 1.x
> framework. Are we going to wait for that, or is the idea to get in
> quickly with what we have? There are some merits to both approaches.
>
> There is also the attached HISP India security policy statement which
> I guess is more about the organisation than the software, but perhaps
> it provides good context. Presumably hISP India is not getting
> certified ...
>
> What are the user acceptance test sheets? They sound useful.
>
> Regards
> Bob
>
> 2009/6/23 Saptarshi Purkayastha <sunbiz@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=sunbiz@xxxxxxxxx>
> >:
> > Hi Sundeep,
> >
> > The idea of getting a formal certificate from the Ministry of IT is an
> > excellent one and it can help stabilize our work greatly. I believe there
> > are many places where we will fail a security audit, but security audits
> are
> > for iterations to improve security and the process will surely help.
> > Please find the attached Technical Architecture which I've copied from
> our
> > launchpad repository.
> > Along with the request for certification, I believe we should concentrate
> on
> > them pointing out the following:
> > 1.) A report on different Form Validation problems
> > 2.) XSS, XHR,and SQL Injection vulnerabilities accessible through xwork.
> > 3.) Usability issues and a report on how these can be improved.
> > We can also share the user acceptance test sheet, which lists use-case
> for
> > most modules and expected result on actions when the testing begins. This
> > will help them speed up things and may be a gesture of interest from our
> > side.
> > ---
> > Regards,
> > Saptarshi PURKAYASTHA
> > Director R & D, HISP India
> > Health Information Systems Programme
> >
> > My Tech Blog: http://sunnytalkstech.blogspot.com
> > You Live by CHOICE, Not by CHANCE
> >
> >
> > 2009/6/18 Knut Staring <knutst@xxxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=knutst@xxxxxxxxxx>
> >
> >>
> >> Hello Sundeep,
> >> Happy to see this moving forward. There is technical documentation
> >> available here:
> >>
> http://bazaar.launchpad.net/~dhis2-devs-core/dhis2/trunk/files/head:/docs/<http://bazaar.launchpad.net/%7Edhis2-devs-core/dhis2/trunk/files/head:/docs/>
> >> Best,
> >> Knut
> >>
> >> On Thu, Jun 18, 2009 at 10:27 AM, Sundeep Sahay <
> sundeep.sahay@xxxxxxxxx<http://us.mc376.mail.yahoo.com/mc/compose?to=sundeep.sahay@xxxxxxxxx>
> >
> >> wrote:
> >>>
> >>> I had discussed today with a group in the Ministry of IT (SQTC) about
> >>> testing and certification of DHIS 2. There are two kinds of tests:
> >>> 1. Software testing for usability, performance and reliability
> >>> 2. Software audit certification (CEERT)
> >>>
> >>> For 1, which may be a little longer process, we need to provide the
> >>> following:
> >>>
> >>> A formal request letter
> >>> Software specification and User Manual (i.e. Documentation of the
> >>> Software)
> >>> State wise customization ( optional)
> >>> clearly mentioning what services we want from the said office.
> >>>
> >>> I can do the letter, and we have the user manual. But we need a
> detailed
> >>> technical specification document for the dhis2. Lars, Knut, Ola - from
> where
> >>> can i get a latest version of this. please can you send to me.
> >>>
> >>> For software audit certification - we have to give them the URL, then
> >>> they will send us a questionnaire, which we have to fill and send back,
> then
> >>> they come back with a cost and time estimate. This certiification is
> based
> >>> on NIC criteria, and I am in the process of talking to them to find out
> more
> >>> details.
> >>> Any advise on the above of how to proceed with this will be welcome.
> >>>
> >>> Sundeep
> >>
> >>
> >>
> >> --
> >> Cheers,
> >> Knut Staring
> >
> >
>
>
>
