Hi Bob, Lars, I cant see any CVE in launchpad. Has someone removed it?? Or has no one reported any till now?? If none have been reported till date, then I suggest we organize a Security-a-thon quickly and then probably a Test-a-thon to improve our test coverage. I think new features should wait for a while, until we get the house in order...
cc'ing this to the dev list so that all interested in a 2-3 day security-a-thon should let their thoughts known... --- Regards, Saptarshi PURKAYASTHA Director R & D, HISP India Health Information Systems Programme My Tech Blog: http://sunnytalkstech.blogspot.com You Live by CHOICE, Not by CHANCE 2009/10/2 Bob Jolliffe <[email protected]> > Thanks Lars - I eventually figured that out as well. > > Regarding security I think we can say the following: > > DHIS2 is a free software project and all the source code is subject to peer > review by the the global Hisp team of developers, implementors and > partners. As with other large software projects, security vulnerabilities, > including those from the OWASP Top Ten are occasionally reported. All known > security flaws are reported as bugs on > https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly and > transparently. > > (if anybody has time to sift through and pick up on any security related > bugs which have been fixed as examples it would reinforce the point). > > I am not sure if there is any point going through the 10 categories now and > pointing out where DHIS might be lacking. It is an exercise of conjecture. > If you can rather focus on the processes by which vulnerabilities are > reported and addressed, I think it is more valid. The main vulnerabilities > you are accountable for are the ones which are reported. > > In addition HISP India operates within the constraints of a high level > security policy. > > There's quite a bit of stuff I did with Satvik around process. I'll look > back - in particular there was some notes about secure installation > guidelines which might be useful. Addresses some of ther issues around > secure storage, imsecure configuration etc. Will try and drag it up. > > Then I must go and cast my vote regarding the Lisbon Treaty for Europe. > I'm thinking I will vote against it ... > > Regards > Bob > > > > > 2009/10/2 Lars Helge Ă˜verland <[email protected]> > >> >> >> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <[email protected]>wrote: >> >>> Hi I am a bit confused what is happening here between Saptarshi's mail >>> and yours. As Lars says i am sure the HISP India team is available to >>> address most things. In fact much of the functionality is specific to India >>> anyway so it is only you who can describe. >>> >>> Regarding the "top 10 vulnerabilities listed on OWASP" : where are >>> they? Saptarshi is it worth looking at them now at this late stage? >>> Obviously if there are vulnerabilities we may not address them today but we >>> can have an audit process to see that they are addressed. Whatever happened >>> to Satvik ..... Anyway please send me a reference to them and I'll see if >>> there is anything to be done. >>> >>> Regards >>> Bob >>> >>> >> I guess they are at the bottom here: >> >> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project >> >> > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp

