Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 7 Current »

Engineering Leads

Rafal Korytkowski Org Administrator

Contributors

Mike Seaton Samuel Lubwama Ian Bacher Grace Potma

Due date

Objective

More robust out-of-the-box security for the O3 RefApp.

Key outcomes

  1. IN PROGRESS 3rd party Pen Test

  2. COMPLETE Vulnerability Tracker

  3. IN PROGRESS Fixes for issues found during Pen Test

  4. IN PROGRESS Triage unresolved vulnerabilities

  5. NOT STARTED Default support for Authentication Module in O3 RefApp

  6. IN PROGRESS More Security Guidance for implementers

\uD83E\uDD14 Problem Statement

  • Whereas CyberSecurity audits and authentication details have historically been handled by implementations one-by-one;

  • We want to be sure that the O3 RefApp has had a robust central effort to review and enhance it’s security

  • So that this out-of-the-box offering when globally scaled has no substantial weaknesses - especially in the context of a rise in cloud hosting.

\uD83D\uDEA9 Milestones and deadlines

Milestone

Owner

Deadline

Status

Notes and Links

  1. Completed 3rd party Pen Test of O3 RefApp

Grace Potma

IN PROGRESS

Provided by UnderDefense (after public RFA and extensive vendor review). Preliminary report received. Grade was a “C”, OWASP 7/10.
Will share public report after remediation testing and after passing best practices.

  1. Create new, private Vulnerability Tracker (since Jira config hasn’t proven entirely trustworthy for embargoed issues we don’t want to make public yet)

Grace Potma

COMPLETE

Only for approved OpenMRS Security Group/squad members. https://docs.google.com/spreadsheets/d/12os55e_sDzzCmwm_lJWt7atqPABqq94LCwLOrApr8v4/edit?usp=sharing

  1. Completed fixes for issues found during 3rd party Pen Test

Rafal Korytkowski

(Aug 14 for UnderDefense to complete remediation testing)

IN PROGRESS

Update as of July 31: High and Medium issues almost completed. Most of what remains are Low.

  1. Add default support for Authentication Module into O3 RefApp.

Samuel Lubwama & Org Administrator

NOT STARTED

  1. Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

Samuel Lubwama, Org Administrator & Grace Potma

IN PROGRESS

Unresolved vulnerabilities available through Security Group on Talk + publicly reported on GitHub

  1. More detailed sample Implementer Guides for implementation security maintenance.

IntelliSOFT Consulting Ltd.

IN PROGRESS

See sample guides listed under: https://openmrs.atlassian.net/wiki/x/Sr2EAQ


  • No labels