dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #46562
Re: Application Security testing for DHIS 2
Vanya:
Yes, I meant the DHIS2 development team.
The only significant new issues that the scanning found relate to XSS,
CSRF, and configuration disclosure. None these can be triggered without
prior authentication to the system, so the foot print is limited. Also,
even the XSS/CSRF results are not exploitable due to how the server returns
data. Automated scanners produce quite a lot of noise, but we want to have
all the bases covered.
Greg
On Fri, Aug 26, 2016 at 12:57 AM, Vanya Seth <vanyas@xxxxxxxxxxxxxxxx>
wrote:
> HI Greg
>
> Thanks for the response.
>
> I reckon when you say the development team you mean the DHIS2 development
> team. Would it be possible to have a look at the kind of issues reported?
>
> It would also be valuable to understand from the dhis devs how the aspects
> of security are treated first hand during the course of development.
>
> Regards
> Vanya
>
>
> On Tue, Aug 23, 2016 at 7:03 PM, Greg Wilson <gwilson@xxxxxxxxxxxxxx>
> wrote:
>
>> Aamer:
>>
>> As part of the DATIM work, BAO is performing IBM AppScan vulnerability
>> assessment and confirmation. The results of these assessments will be
>> passed onto the development team for remediation. Due to the sensitive
>> nature of security vulnerabilities, we will follow standard, responsible
>> best practices regarding public disclosure. If critical, non-credentialed,
>> remote vulnerabilities are discovered we will attempt to provide
>> work-a-rounds until the devs can publish a remediated DHIS2 version.
>>
>> This scanning will only involve DHIS2 core and apps that DATIM uses. We
>> are currently scanning v2.21 but will be jumping to 2.23 very soon. This
>> will be an ongoing, regular process. If you have any questions feel free to
>> contact me any time.
>>
>> Gregory Wilson, CSSLP
>> BAO Systems, Inc.
>> gwilson@xxxxxxxxxxxxxx
>>
>>
>> On Tue, Aug 23, 2016 at 5:31 AM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx>
>> wrote:
>>
>>> Hi dhis devs,
>>>
>>> We are looking for testing the application in areas which focus on "CIA
>>> triad" (Confidentiality, Integrity, Availability) of DHIS users and
>>> resources. Just wanted to check from DHIS devs if any kind of methodologies
>>> are already inplace for testing the code for below vulnerabilities.
>>> 1) Cross-site scripting attacks
>>> 2) Broken authentication attacks
>>> 3) Injection flaws
>>> 4) malicious code
>>>
>>> Thanks
>>> Aamer.
>>>
>>>
>>> On Fri, Jul 29, 2016 at 5:37 PM, Aamer Mohammed <aamerm@xxxxxxxxxxxxxxxx
>>> > wrote:
>>>
>>>> Hi Team,
>>>>
>>>> We are now beginning to look at application security of DHIS 2. We want
>>>> to understand if there is already any security testing in place for DHIS
>>>> and any guidelines around it. This will be helpful in security testing the
>>>> features which we have already contributed and the ones which we are
>>>> planning to.
>>>> It would be helpful if you get us started around this.
>>>>
>>>> Thanks
>>>> Aamer.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Greg Wilson
>> BAO Systems
>>
>
>
>
> --
> With Regards
> ThoughtWorks Technologies
> Hyderabad
>
> --Stay Hungry Stay Foolish!!
>
--
Greg Wilson
BAO Systems
References