dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #46551
Re: Application Security testing for DHIS 2
HI Greg
Thanks for the response.
I reckon when you say the development team you mean the DHIS2 development
team. Would it be possible to have a look at the kind of issues reported?
It would also be valuable to understand from the dhis devs how the aspects
of security are treated first hand during the course of development.
Regards
Vanya
On Tue, Aug 23, 2016 at 7:03 PM, Greg Wilson <gwilson@xxxxxxxxxxxxxx> wrote:
> Aamer:
>
> As part of the DATIM work, BAO is performing IBM AppScan vulnerability
> assessment and confirmation. The results of these assessments will be
> passed onto the development team for remediation. Due to the sensitive
> nature of security vulnerabilities, we will follow standard, responsible
> best practices regarding public disclosure. If critical, non-credentialed,
> remote vulnerabilities are discovered we will attempt to provide
> work-a-rounds until the devs can publish a remediated DHIS2 version.
>
> This scanning will only involve DHIS2 core and apps that DATIM uses. We
> are currently scanning v2.21 but will be jumping to 2.23 very soon. This
> will be an ongoing, regular process. If you have any questions feel free to
> contact me any time.
>
> Gregory Wilson, CSSLP
> BAO Systems, Inc.
> gwilson@xxxxxxxxxxxxxx
>
>
> On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
> wrote:
>
>> Hi dhis devs,
>>
>> We are looking for testing the application in areas which focus on "CIA
>> triad" (Confidentiality, Integrity, Availability) of DHIS users and
>> resources. Just wanted to check from DHIS devs if any kind of methodologies
>> are already inplace for testing the code for below vulnerabilities.
>> 1) Cross-site scripting attacks
>> 2) Broken authentication attacks
>> 3) Injection flaws
>> 4) malicious code
>>
>> Thanks
>> Aamer.
>>
>>
>> On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
>> wrote:
>>
>>> Hi Team,
>>>
>>> We are now beginning to look at application security of DHIS 2. We want
>>> to understand if there is already any security testing in place for DHIS
>>> and any guidelines around it. This will be helpful in security testing the
>>> features which we have already contributed and the ones which we are
>>> planning to.
>>> It would be helpful if you get us started around this.
>>>
>>> Thanks
>>> Aamer.
>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Greg Wilson
> BAO Systems
>
--
With Regards
ThoughtWorks Technologies
Hyderabad
--Stay Hungry Stay Foolish!!
Follow ups
References