dhis2-devs team mailing list archive

Thread
Date
Re: STQC Testing of DHIS

To: Saptarshi Purkayastha <sunbiz@xxxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Mon, 5 Oct 2009 14:52:10 +0100
Cc: Sundeep Sahay <sundeep.sahay@xxxxxxxxx>, arunima s mukherjee <arunimam@xxxxxxxxx>, John lewis <johnlewis.hisp@xxxxxxxxx>, DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <97540c780910041004v67dfa624x75fc73445f66d2f9@mail.gmail.com>
Hi Saptarshi

2009/10/4 Saptarshi Purkayastha <sunbiz@xxxxxxxxx>

> Hi Bob,
>
> There is way to file security related bugs in launchpad by default, by
> checking:This bug is a security vulnerability The maintainer of DHIS, DHIS
> 2 coordinators <https://launchpad.net/%7Edhis2-coordinators>, will be
> notified.
>

Yes you are right.  No need for the extra tag.


>
> These will be part of the CVE reports in launchpad... With that being there
> in launchpad, I asked the question why no one has check marked that... or
> were those deleted??
>

I don't think any have been deleted.  Hard to be sure without exporting the
bug database somehow.  But when searching for all bugs associated with a cve
we draw a blank.  Which seems to suggest that nobody has reported any
security related bugs - or at least checked the box.

I thought you had reported something regarding client side/ server side
validation but I can't find it.  Maybe it was just on mail :-(


>
> Which brings me back to the question... Do we want to organize a few
> focused days filing and fixing the security related bugs (secure-a-thon) and
> unit tests (test-a-thon) to beat these security-related issues??
>

I think its a good idea but we need some security related issues to fix.  Do
you want to report some to get the ball rolling?

Regards
Bob


>
> ---
> Regards,
> Saptarshi PURKAYASTHA
> Director R & D, HISP India
> Health Information Systems Programme
>
> My Tech Blog:  http://sunnytalkstech.blogspot.com
> You Live by CHOICE, Not by CHANCE
>
>
> 2009/10/4 Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>
> Hi Saptarshi and all
>>
>> I see launchpad supports CVE framework but I haven't yet figured out how
>> to link bugs to particular CVE.  Anyway mostly these will refer to security
>> vulnerabilities in the many libraries which we use.
>>
>> It seems we have not set up any way of tagging security related bugs at
>> all.  As an interrim I have created a "security" tag which we should use
>> when there are reported bugs with security implications.   When we report a
>> bug we might adopt the convention that at the bottom of each and every bug
>> report we add a section:
>>
>> Security Implications: None.
>>
>> Where these implications are not "None" we also tag the bug with the
>> security flag.
>>
>> I am sure that many of our existing bugs should be tagged thus.   There
>> are 181 reported bugs currently (obviously many fixed).  Maybe we should
>> divide up the bug space and run through a set each - adding the Security
>> Implications in each case.
>>
>> Would be great if we could create a template for bug reports.  Has anyone
>> any idea how this might be done?
>>
>> I am not sure if I can really stop what I am doing completely - I'm
>> already battling with targets.  But I'm happy to help out.
>>
>> We also need to appoint a security czar to coordinate and monitor and
>> crack the whip when necessary. Any volunteers/nominations?  I'm thinking you
>> are emerging as the party with the most immediate interest.
>>
>> Also its worth noting that besides getting more serious about security
>> within DHIS2 code base (which I fully support) I think the most serious
>> vulnerabilities have resulted more from poor implementation practice, the
>> lack of secure deployment guidelines and the lack of security policy
>> guidelines for implementing agencies.
>>
>> Regards
>> Bob
>>
>> 2009/10/4 Saptarshi Purkayastha <sunbiz@xxxxxxxxx>
>>
>>  Hi Bob, Lars,
>>> I cant see any CVE in launchpad. Has someone removed it?? Or has no one
>>> reported any till now??
>>> If none have been reported till date, then I suggest we organize a
>>> Security-a-thon quickly and then probably a Test-a-thon to improve our test
>>> coverage. I think new features should wait for a while, until we get the
>>> house in order...
>>>
>>> cc'ing this to the dev list so that all interested in a 2-3 day
>>> security-a-thon should let their thoughts known...
>>>
>>> ---
>>> Regards,
>>> Saptarshi PURKAYASTHA
>>> Director R & D, HISP India
>>> Health Information Systems Programme
>>>
>>> My Tech Blog:  http://sunnytalkstech.blogspot.com
>>> You Live by CHOICE, Not by CHANCE
>>>
>>>
>>> 2009/10/2 Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>>>
>>> Thanks Lars - I eventually figured that out as well.
>>>>
>>>> Regarding security I think we can say the following:
>>>>
>>>> DHIS2 is a free software project and all the source code is subject to
>>>> peer review by the the global Hisp team of developers, implementors and
>>>> partners.  As with other large software projects, security vulnerabilities,
>>>> including those from the OWASP Top Ten are occasionally reported.  All known
>>>> security flaws are reported as bugs on
>>>> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly
>>>> and transparently.
>>>>
>>>> (if anybody has time to sift through and pick up on any security related
>>>> bugs which have been fixed as examples it would reinforce the point).
>>>>
>>>> I am not sure if there is any point going through the 10 categories now
>>>> and pointing out where DHIS might be lacking.  It is an exercise of
>>>> conjecture.  If you can rather focus on the processes by which
>>>> vulnerabilities are reported and addressed, I think it is more valid.  The
>>>> main vulnerabilities you are accountable for are the ones which are
>>>> reported.
>>>>
>>>> In addition HISP India operates within the constraints of a high level
>>>> security policy.
>>>>
>>>> There's quite a bit of stuff I did with Satvik around process.  I'll
>>>> look back - in particular there was some notes about secure installation
>>>> guidelines which might be useful.  Addresses some of ther issues around
>>>> secure storage, imsecure configuration etc.  Will try and drag it up.
>>>>
>>>> Then I must go and cast my vote regarding the Lisbon Treaty for Europe.
>>>> I'm thinking I will vote against it ...
>>>>
>>>> Regards
>>>> Bob
>>>>
>>>>
>>>>
>>>>
>>>> 2009/10/2 Lars Helge Øverland <larshelge@xxxxxxxxx>
>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>wrote:
>>>>>
>>>>>> Hi I am a bit confused what is happening here between Saptarshi's mail
>>>>>> and yours.  As Lars says i am sure the HISP India team is available to
>>>>>> address most things.  In fact much of the functionality is specific to India
>>>>>> anyway so it is only you who can describe.
>>>>>>
>>>>>> Regarding the "top 10 vulnerabilities listed on OWASP" :  where are
>>>>>> they?  Saptarshi is it worth looking at them now at this late stage?
>>>>>> Obviously if there are vulnerabilities we may not address them today but we
>>>>>> can have an audit process to see that they are addressed.  Whatever happened
>>>>>> to Satvik .....  Anyway please send me a reference to them and I'll see if
>>>>>> there is anything to be done.
>>>>>>
>>>>>> Regards
>>>>>> Bob
>>>>>>
>>>>>>
>>>>> I guess they are at the bottom here:
>>>>>
>>>>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
References

Re: STQC Testing of DHIS
From: Saptarshi Purkayastha, 2009-10-04
Re: STQC Testing of DHIS
From: Bob Jolliffe, 2009-10-04
Re: STQC Testing of DHIS
From: Saptarshi Purkayastha, 2009-10-04