Page Comparison

Engineering Leads

raff Org Administrator

Contributors

Mike Seaton Samuel Lubwama Ian Bacher Grace Potma

Due date

29 Sep 2024

Objective

More robust out-of-the-box security for the O3 RefApp.

Key outcomes

Status
colour Yellow
title in progress
Completed 3rd party Pen Test
Status
colour Green
title complete
Create new, private Vulnerability Tracker (since Jira config hasn’t proven entirely trustworthy for embargoed issues we don’t want to make public yet)
Status
colour Yellow
title in progress
Completed fixes Fixes for issues found during 3rd party Pen Test
Status
colour Yellow
title in progress
Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker
Status
title not started
Add default Default support for Authentication Module into in O3 RefApp.
Status
colour Yellow
title in progress
More detailed sample Implementer Guides for implementation security maintenance.Security Guidance for implementers

\uD83E\uDD14 Problem Statement

Whereas CyberSecurity audits and authentication details have historically been handled by implementations one-by-one;
We want to be sure that the O3 RefApp has had a robust central effort to review and enhance it’s security
So that this out-of-the-box offering when globally scaled has no substantial weaknesses - especially in the context of a rise in cloud hosting.

\uD83D\uDEA9 Milestones and deadlines

Milestone	Owner	Deadline	Status

StatuscolourYellowtitlein progress

Notes and Links

Completed 3rd party Pen Test of O3 RefApp

Grace Potma

21 Aug 2024

Status

colour

Green

title
Yellow

complete

in progress

Provided by UnderDefense (after public RFA and extensive vendor review). Preliminary report received. Grade was a “C”, OWASP 7/10.
Will share public report after remediation testing and after passing best practices.

Create new, private Vulnerability Tracker (since Jira config hasn’t proven entirely trustworthy for embargoed issues we don’t want to make public yet)

Grace Potma

30 Jun 2024

Status

colour

Yellow

title
Green

in progress

complete

Only for approved OpenMRS Security Group/squad members. https://docs.google.com/spreadsheets/d/12os55e_sDzzCmwm_lJWt7atqPABqq94LCwLOrApr8v4/edit?usp=sharing

Completed fixes for issues found during 3rd party Pen Test

raff

14 Aug 2024

(Aug 14 for UnderDefense to complete remediation testing)

Status

colour	Yellow
title	in progress

Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

Update as of July 31: High and Medium issues almost completed. Most of what remains are Low.

Add default support for Authentication Module into O3 RefApp.

Samuel Lubwama & Org Administrator

29 Sep 2024

Status

title	not started

Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

Samuel Lubwama, Org Administrator & Grace Potma

29 Sep 2024

Status

colour	Yellow
title	in progress

Unresolved vulnerabilities available through Security Group on Talk + publicly reported on GitHub

More detailed sample Implementer Guides for implementation security maintenance.

IntelliSOFT Consulting Ltd.

29 Sep 2024

Status

colour	Yellow
title	in progress

...

See sample guides listed under: https://openmrs.atlassian.net/wiki/x/Sr2EAQ

Versions Compared

Old Version 4

New Version Current

Key

\uD83E\uDD14 Problem Statement

\uD83D\uDEA9 Milestones and deadlines