Hi Bob, There is way to file security related bugs in launchpad by default, by checking:This bug is a security vulnerability The maintainer of DHIS, DHIS 2 coordinators <https://launchpad.net/~dhis2-coordinators>, will be notified.
These will be part of the CVE reports in launchpad... With that being there in launchpad, I asked the question why no one has check marked that... or were those deleted?? Which brings me back to the question... Do we want to organize a few focused days filing and fixing the security related bugs (secure-a-thon) and unit tests (test-a-thon) to beat these security-related issues?? --- Regards, Saptarshi PURKAYASTHA Director R & D, HISP India Health Information Systems Programme My Tech Blog: http://sunnytalkstech.blogspot.com You Live by CHOICE, Not by CHANCE 2009/10/4 Bob Jolliffe <[email protected]> > Hi Saptarshi and all > > I see launchpad supports CVE framework but I haven't yet figured out how to > link bugs to particular CVE. Anyway mostly these will refer to security > vulnerabilities in the many libraries which we use. > > It seems we have not set up any way of tagging security related bugs at > all. As an interrim I have created a "security" tag which we should use > when there are reported bugs with security implications. When we report a > bug we might adopt the convention that at the bottom of each and every bug > report we add a section: > > Security Implications: None. > > Where these implications are not "None" we also tag the bug with the > security flag. > > I am sure that many of our existing bugs should be tagged thus. There are > 181 reported bugs currently (obviously many fixed). Maybe we should divide > up the bug space and run through a set each - adding the Security > Implications in each case. > > Would be great if we could create a template for bug reports. Has anyone > any idea how this might be done? > > I am not sure if I can really stop what I am doing completely - I'm already > battling with targets. But I'm happy to help out. > > We also need to appoint a security czar to coordinate and monitor and crack > the whip when necessary. Any volunteers/nominations? I'm thinking you are > emerging as the party with the most immediate interest. > > Also its worth noting that besides getting more serious about security > within DHIS2 code base (which I fully support) I think the most serious > vulnerabilities have resulted more from poor implementation practice, the > lack of secure deployment guidelines and the lack of security policy > guidelines for implementing agencies. > > Regards > Bob > > 2009/10/4 Saptarshi Purkayastha <[email protected]> > > Hi Bob, Lars, >> I cant see any CVE in launchpad. Has someone removed it?? Or has no one >> reported any till now?? >> If none have been reported till date, then I suggest we organize a >> Security-a-thon quickly and then probably a Test-a-thon to improve our test >> coverage. I think new features should wait for a while, until we get the >> house in order... >> >> cc'ing this to the dev list so that all interested in a 2-3 day >> security-a-thon should let their thoughts known... >> >> --- >> Regards, >> Saptarshi PURKAYASTHA >> Director R & D, HISP India >> Health Information Systems Programme >> >> My Tech Blog: http://sunnytalkstech.blogspot.com >> You Live by CHOICE, Not by CHANCE >> >> >> 2009/10/2 Bob Jolliffe <[email protected]> >> >> Thanks Lars - I eventually figured that out as well. >>> >>> Regarding security I think we can say the following: >>> >>> DHIS2 is a free software project and all the source code is subject to >>> peer review by the the global Hisp team of developers, implementors and >>> partners. As with other large software projects, security vulnerabilities, >>> including those from the OWASP Top Ten are occasionally reported. All known >>> security flaws are reported as bugs on >>> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly >>> and transparently. >>> >>> (if anybody has time to sift through and pick up on any security related >>> bugs which have been fixed as examples it would reinforce the point). >>> >>> I am not sure if there is any point going through the 10 categories now >>> and pointing out where DHIS might be lacking. It is an exercise of >>> conjecture. If you can rather focus on the processes by which >>> vulnerabilities are reported and addressed, I think it is more valid. The >>> main vulnerabilities you are accountable for are the ones which are >>> reported. >>> >>> In addition HISP India operates within the constraints of a high level >>> security policy. >>> >>> There's quite a bit of stuff I did with Satvik around process. I'll look >>> back - in particular there was some notes about secure installation >>> guidelines which might be useful. Addresses some of ther issues around >>> secure storage, imsecure configuration etc. Will try and drag it up. >>> >>> Then I must go and cast my vote regarding the Lisbon Treaty for Europe. >>> I'm thinking I will vote against it ... >>> >>> Regards >>> Bob >>> >>> >>> >>> >>> 2009/10/2 Lars Helge Ă˜verland <[email protected]> >>> >>>> >>>> >>>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe <[email protected]>wrote: >>>> >>>>> Hi I am a bit confused what is happening here between Saptarshi's mail >>>>> and yours. As Lars says i am sure the HISP India team is available to >>>>> address most things. In fact much of the functionality is specific to >>>>> India >>>>> anyway so it is only you who can describe. >>>>> >>>>> Regarding the "top 10 vulnerabilities listed on OWASP" : where are >>>>> they? Saptarshi is it worth looking at them now at this late stage? >>>>> Obviously if there are vulnerabilities we may not address them today but >>>>> we >>>>> can have an audit process to see that they are addressed. Whatever >>>>> happened >>>>> to Satvik ..... Anyway please send me a reference to them and I'll see if >>>>> there is anything to be done. >>>>> >>>>> Regards >>>>> Bob >>>>> >>>>> >>>> I guess they are at the bottom here: >>>> >>>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project >>>> >>>> >>> >>> >> >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp

