CyberSecurity Squad 2024

Engineering Leads

@raff @Org Administrator

Contributors

@Mike Seaton @Samuel Lubwama @Ian Bacher @Grace Potma

Due date

Sep 29, 2024

Objective

More robust out-of-the-box security for the O3 RefApp.

Key outcomes

  1. in progress 3rd party Pen Test

  2. complete Vulnerability Tracker

  3. in progress Fixes for issues found during Pen Test

  4. in progress Triage unresolved vulnerabilities

  5. not started Default support for Authentication Module in O3 RefApp

  6. in progress More Security Guidance for implementers

 Problem Statement

  • Whereas CyberSecurity audits and authentication details have historically been handled by implementations one-by-one;

  • We want to be sure that the O3 RefApp has had a robust central effort to review and enhance it’s security

  • So that this out-of-the-box offering when globally scaled has no substantial weaknesses - especially in the context of a rise in cloud hosting.

 Milestones and deadlines

Milestone

Owner

Deadline

Status

Notes and Links

Milestone

Owner

Deadline

Status

Notes and Links

  1. Completed 3rd party Pen Test of O3 RefApp

@Grace Potma

Aug 21, 2024

in progress

Provided by UnderDefense (after public RFA and extensive vendor review). Preliminary report received. Grade was a “C”, OWASP 7/10.
Will share public report after remediation testing and after passing best practices.

  1. Create new, private Vulnerability Tracker (since Jira config hasn’t proven entirely trustworthy for embargoed issues we don’t want to make public yet)

@Grace Potma

Jun 30, 2024

complete

Only for approved OpenMRS Security Group/squad members. https://docs.google.com/spreadsheets/d/12os55e_sDzzCmwm_lJWt7atqPABqq94LCwLOrApr8v4/edit?usp=sharing

  1. Completed fixes for issues found during 3rd party Pen Test

@raff

Aug 14, 2024

(Aug 14 for UnderDefense to complete remediation testing)

in progress

Update as of July 31: High and Medium issues almost completed. Most of what remains are Low.

  1. Add default support for Authentication Module into O3 RefApp.

@Samuel Lubwama & @Org Administrator

Sep 29, 2024

not started

 

  1. Triage list of unresolved vulnerabilities into the new, private Vulnerability Tracker

@Samuel Lubwama, @Org Administrator & @Grace Potma

Sep 29, 2024

 

in progress

Unresolved vulnerabilities available through Security Group on Talk + publicly reported on GitHub

  1. More detailed sample Implementer Guides for implementation security maintenance.

IntelliSOFT Consulting Ltd.

Sep 29, 2024

in progress

See sample guides listed under: https://openmrs.atlassian.net/wiki/x/Sr2EAQ