dhis2-devs team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Hi Saptarshi and all

I see launchpad supports CVE framework but I haven't yet figured out how to
link bugs to particular CVE.  Anyway mostly these will refer to security
vulnerabilities in the many libraries which we use.

It seems we have not set up any way of tagging security related bugs at
all.  As an interrim I have created a "security" tag which we should use
when there are reported bugs with security implications.   When we report a
bug we might adopt the convention that at the bottom of each and every bug
report we add a section:

Security Implications: None.

Where these implications are not "None" we also tag the bug with the
security flag.

I am sure that many of our existing bugs should be tagged thus.   There are
181 reported bugs currently (obviously many fixed).  Maybe we should divide
up the bug space and run through a set each - adding the Security
Implications in each case.

Would be great if we could create a template for bug reports.  Has anyone
any idea how this might be done?

I am not sure if I can really stop what I am doing completely - I'm already
battling with targets.  But I'm happy to help out.

We also need to appoint a security czar to coordinate and monitor and crack
the whip when necessary. Any volunteers/nominations?  I'm thinking you are
emerging as the party with the most immediate interest.

Also its worth noting that besides getting more serious about security
within DHIS2 code base (which I fully support) I think the most serious
vulnerabilities have resulted more from poor implementation practice, the
lack of secure deployment guidelines and the lack of security policy
guidelines for implementing agencies.

Regards
Bob

2009/10/4 Saptarshi Purkayastha <sunbiz@xxxxxxxxx>

> Hi Bob, Lars,
> I cant see any CVE in launchpad. Has someone removed it?? Or has no one
> reported any till now??
> If none have been reported till date, then I suggest we organize a
> Security-a-thon quickly and then probably a Test-a-thon to improve our test
> coverage. I think new features should wait for a while, until we get the
> house in order...
>
> cc'ing this to the dev list so that all interested in a 2-3 day
> security-a-thon should let their thoughts known...
>
> ---
> Regards,
> Saptarshi PURKAYASTHA
> Director R & D, HISP India
> Health Information Systems Programme
>
> My Tech Blog:  http://sunnytalkstech.blogspot.com
> You Live by CHOICE, Not by CHANCE
>
>
> 2009/10/2 Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>
> Thanks Lars - I eventually figured that out as well.
>>
>> Regarding security I think we can say the following:
>>
>> DHIS2 is a free software project and all the source code is subject to
>> peer review by the the global Hisp team of developers, implementors and
>> partners.  As with other large software projects, security vulnerabilities,
>> including those from the OWASP Top Ten are occasionally reported.  All known
>> security flaws are reported as bugs on
>> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly
>> and transparently.
>>
>> (if anybody has time to sift through and pick up on any security related
>> bugs which have been fixed as examples it would reinforce the point).
>>
>> I am not sure if there is any point going through the 10 categories now
>> and pointing out where DHIS might be lacking.  It is an exercise of
>> conjecture.  If you can rather focus on the processes by which
>> vulnerabilities are reported and addressed, I think it is more valid.  The
>> main vulnerabilities you are accountable for are the ones which are
>> reported.
>>
>> In addition HISP India operates within the constraints of a high level
>> security policy.
>>
>> There's quite a bit of stuff I did with Satvik around process.  I'll look
>> back - in particular there was some notes about secure installation
>> guidelines which might be useful.  Addresses some of ther issues around
>> secure storage, imsecure configuration etc.  Will try and drag it up.
>>
>> Then I must go and cast my vote regarding the Lisbon Treaty for Europe.
>> I'm thinking I will vote against it ...
>>
>> Regards
>> Bob
>>
>>
>>
>>
>> 2009/10/2 Lars Helge Øverland <larshelge@xxxxxxxxx>
>>
>>>
>>>
>>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>wrote:
>>>
>>>> Hi I am a bit confused what is happening here between Saptarshi's mail
>>>> and yours.  As Lars says i am sure the HISP India team is available to
>>>> address most things.  In fact much of the functionality is specific to India
>>>> anyway so it is only you who can describe.
>>>>
>>>> Regarding the "top 10 vulnerabilities listed on OWASP" :  where are
>>>> they?  Saptarshi is it worth looking at them now at this late stage?
>>>> Obviously if there are vulnerabilities we may not address them today but we
>>>> can have an audit process to see that they are addressed.  Whatever happened
>>>> to Satvik .....  Anyway please send me a reference to them and I'll see if
>>>> there is anything to be done.
>>>>
>>>> Regards
>>>> Bob
>>>>
>>>>
>>> I guess they are at the bottom here:
>>>
>>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>>
>>>
>>
>>
>