dhis2-devs team mailing list archive

[Saptarshi Purkayastha <sunbiz@xxxxxxxxx>]

Hi Bob,

There is way to file security related bugs in launchpad by default, by
checking:This bug is a security vulnerability The maintainer of DHIS, DHIS 2
coordinators <https://launchpad.net/~dhis2-coordinators>, will be notified.

These will be part of the CVE reports in launchpad... With that being there
in launchpad, I asked the question why no one has check marked that... or
were those deleted??

Which brings me back to the question... Do we want to organize a few focused
days filing and fixing the security related bugs (secure-a-thon) and unit
tests (test-a-thon) to beat these security-related issues??

---
Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog:  http://sunnytalkstech.blogspot.com
You Live by CHOICE, Not by CHANCE


2009/10/4 Bob Jolliffe <bobjolliffe@xxxxxxxxx>

> Hi Saptarshi and all
>
> I see launchpad supports CVE framework but I haven't yet figured out how to
> link bugs to particular CVE.  Anyway mostly these will refer to security
> vulnerabilities in the many libraries which we use.
>
> It seems we have not set up any way of tagging security related bugs at
> all.  As an interrim I have created a "security" tag which we should use
> when there are reported bugs with security implications.   When we report a
> bug we might adopt the convention that at the bottom of each and every bug
> report we add a section:
>
> Security Implications: None.
>
> Where these implications are not "None" we also tag the bug with the
> security flag.
>
> I am sure that many of our existing bugs should be tagged thus.   There are
> 181 reported bugs currently (obviously many fixed).  Maybe we should divide
> up the bug space and run through a set each - adding the Security
> Implications in each case.
>
> Would be great if we could create a template for bug reports.  Has anyone
> any idea how this might be done?
>
> I am not sure if I can really stop what I am doing completely - I'm already
> battling with targets.  But I'm happy to help out.
>
> We also need to appoint a security czar to coordinate and monitor and crack
> the whip when necessary. Any volunteers/nominations?  I'm thinking you are
> emerging as the party with the most immediate interest.
>
> Also its worth noting that besides getting more serious about security
> within DHIS2 code base (which I fully support) I think the most serious
> vulnerabilities have resulted more from poor implementation practice, the
> lack of secure deployment guidelines and the lack of security policy
> guidelines for implementing agencies.
>
> Regards
> Bob
>
> 2009/10/4 Saptarshi Purkayastha <sunbiz@xxxxxxxxx>
>
>  Hi Bob, Lars,
>> I cant see any CVE in launchpad. Has someone removed it?? Or has no one
>> reported any till now??
>> If none have been reported till date, then I suggest we organize a
>> Security-a-thon quickly and then probably a Test-a-thon to improve our test
>> coverage. I think new features should wait for a while, until we get the
>> house in order...
>>
>> cc'ing this to the dev list so that all interested in a 2-3 day
>> security-a-thon should let their thoughts known...
>>
>> ---
>> Regards,
>> Saptarshi PURKAYASTHA
>> Director R & D, HISP India
>> Health Information Systems Programme
>>
>> My Tech Blog:  http://sunnytalkstech.blogspot.com
>> You Live by CHOICE, Not by CHANCE
>>
>>
>> 2009/10/2 Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>>
>> Thanks Lars - I eventually figured that out as well.
>>>
>>> Regarding security I think we can say the following:
>>>
>>> DHIS2 is a free software project and all the source code is subject to
>>> peer review by the the global Hisp team of developers, implementors and
>>> partners.  As with other large software projects, security vulnerabilities,
>>> including those from the OWASP Top Ten are occasionally reported.  All known
>>> security flaws are reported as bugs on
>>> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly
>>> and transparently.
>>>
>>> (if anybody has time to sift through and pick up on any security related
>>> bugs which have been fixed as examples it would reinforce the point).
>>>
>>> I am not sure if there is any point going through the 10 categories now
>>> and pointing out where DHIS might be lacking.  It is an exercise of
>>> conjecture.  If you can rather focus on the processes by which
>>> vulnerabilities are reported and addressed, I think it is more valid.  The
>>> main vulnerabilities you are accountable for are the ones which are
>>> reported.
>>>
>>> In addition HISP India operates within the constraints of a high level
>>> security policy.
>>>
>>> There's quite a bit of stuff I did with Satvik around process.  I'll look
>>> back - in particular there was some notes about secure installation
>>> guidelines which might be useful.  Addresses some of ther issues around
>>> secure storage, imsecure configuration etc.  Will try and drag it up.
>>>
>>> Then I must go and cast my vote regarding the Lisbon Treaty for Europe.
>>> I'm thinking I will vote against it ...
>>>
>>> Regards
>>> Bob
>>>
>>>
>>>
>>>
>>> 2009/10/2 Lars Helge Øverland <larshelge@xxxxxxxxx>
>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>wrote:
>>>>
>>>>> Hi I am a bit confused what is happening here between Saptarshi's mail
>>>>> and yours.  As Lars says i am sure the HISP India team is available to
>>>>> address most things.  In fact much of the functionality is specific to India
>>>>> anyway so it is only you who can describe.
>>>>>
>>>>> Regarding the "top 10 vulnerabilities listed on OWASP" :  where are
>>>>> they?  Saptarshi is it worth looking at them now at this late stage?
>>>>> Obviously if there are vulnerabilities we may not address them today but we
>>>>> can have an audit process to see that they are addressed.  Whatever happened
>>>>> to Satvik .....  Anyway please send me a reference to them and I'll see if
>>>>> there is anything to be done.
>>>>>
>>>>> Regards
>>>>> Bob
>>>>>
>>>>>
>>>> I guess they are at the bottom here:
>>>>
>>>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>>>
>>>>
>>>
>>>
>>
>