Versions Compared

Version Old Version 1 New Version Current
Changes made by

Grace Potma

Grace Potma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Lead

Grace Potma

Engineering Leads

raff Org Administrator

Contributors

Mike Seaton Samuel Lubwama Ian Bacher Grace Potma

Objective

Due date

Objective

More robust out-of-the-box security for the O3 RefApp.

Key outcomes

  1. Status
    colourYellow
    titlein progress
    3rd party Pen Test

  2. Status
    colourGreen
    titlecomplete
    Vulnerability Tracker

  3. Status
    colourYellow
    titlein progress
    Fixes for issues found during Pen Test

  4. Status
    colourYellow
    titlein progress
    Triage unresolved vulnerabilities

  5. Status
    titlenot started
    Default support for Authentication Module in O3 RefApp

  6. Status
    colourYellow
    titlein progress
    More Security Guidance for implementers

\uD83E\uDD14 Problem Statement

  • Whereas CyberSecurity audits and authentication details have historically been handled by implementations one-by-one;

  • We want to be sure that the O3 RefApp has had a robust central effort to review and enhance it’s security

  • So that this out-of-the-box offering when globally scaled has no substantial weaknesses - especially in the context of a rise in cloud hosting.

\uD83D\uDEA9 Milestones and deadlines

\uD83D\uDEA9 Milestones and deadlines

...

Milestone

...

Owner

...

Deadline

...

Status

...

Milestone

Owner

Deadline

Status

Notes and Links

  1. Completed 3rd party Pen Test of O3 RefApp

Grace Potma

Status
colourYellow
titlein progress

Provided by UnderDefense (after public RFA and extensive vendor review). Preliminary report received. Grade was a “C”, OWASP 7/10.
Will share public report after remediation testing and after passing best practices.

  1. Create new, private Vulnerability Tracker (since Jira config hasn’t proven entirely trustworthy for embargoed issues we don’t want to make public yet)

Grace Potma

Status
colourGreen
titlecomplete

Only for approved OpenMRS Security Group/squad members. https://docs.google.com/spreadsheets/d/12os55e_sDzzCmwm_lJWt7atqPABqq94LCwLOrApr8v4/edit?usp=sharing

  1. Completed fixes for issues found during 3rd party Pen Test

Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

raff

(Aug 14 for UnderDefense to complete remediation testing)

Status
colourYellow
titlein progress

Update as of July 31: High and Medium issues almost completed. Most of what remains are Low.

  1. Add default support for Authentication Module into O3 RefApp.

Status

Samuel Lubwama & Org Administrator

Status
titlenot started

/

  1. Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

Samuel Lubwama, Org Administrator & Grace Potma

Status
colourYellow
titlein progress

/

Unresolved vulnerabilities available through Security Group on Talk + publicly reported on GitHub

  1. More detailed sample Implementer Guides for implementation security maintenance.

IntelliSOFT Consulting Ltd.

Status
colour

Green

Yellow
title

complete

\uD83E\uDD14 Problem Statement

🎯 Scope

...

Must have:

...

Nice to have:

...

Not in scope:

\uD83D\uDDD3 Timeline

...

in progress

See sample guides listed under: https://openmrs.atlassian.net/wiki/x/Sr2EAQ