dhis2-devs team mailing list archive

Thread
Date

Re: Application Security testing for DHIS 2

To: Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
From: Greg Wilson <gwilson@xxxxxxxxxxxxxx>
Date: Tue, 23 Aug 2016 09:33:05 -0400
Cc: Claes-Philip Staiger <claes-philip@xxxxxxxxxx>, Theo Krommydakis <theo.krommydakis@xxxxxxxxxxxxxx>, dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, twoca <twoca@xxxxxxxxxxxxxxxx>
In-reply-to: <CAP3CzMgXYaPK9QeaW7_dXPR-b5hgdySRAApUMk23Yc5nQUH6jA@mail.gmail.com>

Aamer:

As part of the DATIM work, BAO is performing IBM AppScan vulnerability
assessment and confirmation. The results of these assessments will be
passed onto the development team for remediation. Due to the sensitive
nature of security vulnerabilities, we will follow standard, responsible
best practices regarding public disclosure. If critical, non-credentialed,
remote vulnerabilities are discovered we will attempt to provide
work-a-rounds until the devs can publish a remediated DHIS2 version.

This scanning will only involve DHIS2 core and apps that DATIM uses. We are
currently scanning v2.21 but will be jumping to 2.23 very soon. This will
be an ongoing, regular process. If you have any questions feel free to
contact me any time.

Gregory Wilson, CSSLP
BAO Systems, Inc.
gwilson@xxxxxxxxxxxxxx

On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
wrote:

> Hi dhis devs,
>
> We are looking for testing the application in areas which focus on "CIA
> triad" (Confidentiality, Integrity, Availability) of DHIS users and
> resources. Just wanted to check from DHIS devs if any kind of methodologies
> are already inplace for testing the code for below vulnerabilities.
> 1) Cross-site scripting attacks
> 2) Broken authentication attacks
> 3) Injection flaws
> 4) malicious code
>
> Thanks
> Aamer.
>
>
> On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
> wrote:
>
>> Hi Team,
>>
>> We are now beginning to look at application security of DHIS 2. We want
>> to understand if there is already any security testing in place for DHIS
>> and any guidelines around it. This will be helpful in security testing the
>> features which we have already contributed and the ones which we are
>> planning to.
>> It would be helpful if you get us started around this.
>>
>> Thanks
>> Aamer.
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

-- 
Greg Wilson
BAO Systems

Follow ups

Re: Application Security testing for DHIS 2
From: Vanya Seth, 2016-08-26

References

Application Security testing for DHIS 2
From: Aamer Mohammed, 2016-07-29
Re: Application Security testing for DHIS 2
From: Aamer Mohammed, 2016-08-23