dhis2-devs team mailing list archive

[Saptarshi Purkayastha <sunbiz@xxxxxxxxx>]

Hi Bob, Lars,
I cant see any CVE in launchpad. Has someone removed it?? Or has no one
reported any till now??
If none have been reported till date, then I suggest we organize a
Security-a-thon quickly and then probably a Test-a-thon to improve our test
coverage. I think new features should wait for a while, until we get the
house in order...

cc'ing this to the dev list so that all interested in a 2-3 day
security-a-thon should let their thoughts known...

---
Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog:  http://sunnytalkstech.blogspot.com
You Live by CHOICE, Not by CHANCE


2009/10/2 Bob Jolliffe <bobjolliffe@xxxxxxxxx>

> Thanks Lars - I eventually figured that out as well.
>
> Regarding security I think we can say the following:
>
> DHIS2 is a free software project and all the source code is subject to peer
> review by the the global Hisp team of developers, implementors and
> partners.  As with other large software projects, security vulnerabilities,
> including those from the OWASP Top Ten are occasionally reported.  All known
> security flaws are reported as bugs on
> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and
> transparently.
>
> (if anybody has time to sift through and pick up on any security related
> bugs which have been fixed as examples it would reinforce the point).
>
> I am not sure if there is any point going through the 10 categories now and
> pointing out where DHIS might be lacking.  It is an exercise of conjecture.
> If you can rather focus on the processes by which vulnerabilities are
> reported and addressed, I think it is more valid.  The main vulnerabilities
> you are accountable for are the ones which are reported.
>
> In addition HISP India operates within the constraints of a high level
> security policy.
>
> There's quite a bit of stuff I did with Satvik around process.  I'll look
> back - in particular there was some notes about secure installation
> guidelines which might be useful.  Addresses some of ther issues around
> secure storage, imsecure configuration etc.  Will try and drag it up.
>
> Then I must go and cast my vote regarding the Lisbon Treaty for Europe.
> I'm thinking I will vote against it ...
>
> Regards
> Bob
>
>
>
>
> 2009/10/2 Lars Helge Øverland <larshelge@xxxxxxxxx>
>
>>
>>
>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>wrote:
>>
>>> Hi I am a bit confused what is happening here between Saptarshi's mail
>>> and yours.  As Lars says i am sure the HISP India team is available to
>>> address most things.  In fact much of the functionality is specific to India
>>> anyway so it is only you who can describe.
>>>
>>> Regarding the "top 10 vulnerabilities listed on OWASP" :  where are
>>> they?  Saptarshi is it worth looking at them now at this late stage?
>>> Obviously if there are vulnerabilities we may not address them today but we
>>> can have an audit process to see that they are addressed.  Whatever happened
>>> to Satvik .....  Anyway please send me a reference to them and I'll see if
>>> there is anything to be done.
>>>
>>> Regards
>>> Bob
>>>
>>>
>> I guess they are at the bottom here:
>>
>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>
>>
>
>