CyberSecurity Squad 2024
Engineering Leads | @raff @Org Administrator |
Contributors | @Mike Seaton @Samuel Lubwama @Ian Bacher @Grace Potma |
Due date | Sep 29, 2024 |
Objective | More robust out-of-the-box security for the O3 RefApp. |
Key outcomes |
|
Problem Statement
Whereas CyberSecurity audits and authentication details have historically been handled by implementations one-by-one;
We want to be sure that the O3 RefApp has had a robust central effort to review and enhance it’s security
So that this out-of-the-box offering when globally scaled has no substantial weaknesses - especially in the context of a rise in cloud hosting.
Milestones and deadlines
Milestone | Owner | Deadline | Status | Notes and Links |
---|---|---|---|---|
| @Grace Potma | Aug 21, 2024 | in progress | Provided by UnderDefense (after public RFA and extensive vendor review). Preliminary report received. Grade was a “C”, OWASP 7/10. |
| @Grace Potma | Jun 30, 2024 | complete | Only for approved OpenMRS Security Group/squad members. https://docs.google.com/spreadsheets/d/12os55e_sDzzCmwm_lJWt7atqPABqq94LCwLOrApr8v4/edit?usp=sharing |
| @raff | Aug 14, 2024 (Aug 14 for UnderDefense to complete remediation testing) | in progress | Update as of July 31: High and Medium issues almost completed. Most of what remains are Low. |
| @Samuel Lubwama & @Org Administrator | Sep 29, 2024 | not started |
|
| @Samuel Lubwama, @Org Administrator & @Grace Potma | Sep 29, 2024 |
in progress | Unresolved vulnerabilities available through Security Group on Talk + publicly reported on GitHub |
| IntelliSOFT Consulting Ltd. | Sep 29, 2024 | in progress | See sample guides listed under: https://openmrs.atlassian.net/wiki/x/Sr2EAQ |