2014-12-04 Developers Forum
How to Join
Agenda
Quickly review previous meeting minutes (5 min)
Web Application Security w/ Sherif Koussa CEO of SecurifyLabs
Review next meeting agenda
Minutes
Developers Forum 2014-12-04
Recording: http://goo.gl/f3HFuw (audio/MP3) https://connect.iu.edu/p105n0uzjlo/ (Adobe Flash)
Attendees
Sherif Koussa
Burke
Rafał
Wyclif
Ryan
Michael D.
Daniel
Karl
Tammy
Willa
Serghei Luchianov
Jim Hinson
Paul
Mike S.
Ada
Agenda/Notes
Security Challenges for open source projects
Attackers can easily research the code for their attack
Community Awareness – i.e., raising awareness among contributors & users
Contributors
Some may be more aware than others
Users
Where does responsibility of developer end & consumer's responsibility start?
For example, OpenMRS assumes the physical box is protected, all unnecessary ports closed, only SSH and TLS access to the box)
Ineffective Security Models
OpenSAMM <http://www.opensamm.org/> "Software Assurance Maturity Model"
A good way to look at software security from a bird's eye view
Can be scaled to need
Tries to help organizations form a strategy for software security that is tailored to need
Helps answers the common questions:
Where do we start?
What is the root cause of our security problems?
Separates software development into 4 functions:
Governance – leadership, road map
Construction – development
Verification – validation, testing
Deployment – delivering software & support
There are three security practices that goes into the 4 functions. (Sums up to 12)
How would SAMM apply to OpenMRS?
Governance
Regional Privacy Regulations
Security Awareness – Toughest challenge among open source community.
Community Education
User Education
Construction
Regional Security Requirements
Global/Regional Threat
Secure Coding
Verification
Security Testing
Security Code Reviews
Baseline Security Assessment
Vulnerability Management
Deployment
Incident Response