Hi Saptarshi 2009/10/4 Saptarshi Purkayastha <[email protected]>
> Hi Bob, > > There is way to file security related bugs in launchpad by default, by > checking:This bug is a security vulnerability The maintainer of DHIS, DHIS > 2 coordinators <https://launchpad.net/%7Edhis2-coordinators>, will be > notified. > Yes you are right. No need for the extra tag. > > These will be part of the CVE reports in launchpad... With that being there > in launchpad, I asked the question why no one has check marked that... or > were those deleted?? > I don't think any have been deleted. Hard to be sure without exporting the bug database somehow. But when searching for all bugs associated with a cve we draw a blank. Which seems to suggest that nobody has reported any security related bugs - or at least checked the box. I thought you had reported something regarding client side/ server side validation but I can't find it. Maybe it was just on mail :-( > > Which brings me back to the question... Do we want to organize a few > focused days filing and fixing the security related bugs (secure-a-thon) and > unit tests (test-a-thon) to beat these security-related issues?? > I think its a good idea but we need some security related issues to fix. Do you want to report some to get the ball rolling? Regards Bob > > --- > Regards, > Saptarshi PURKAYASTHA > Director R & D, HISP India > Health Information Systems Programme > > My Tech Blog: http://sunnytalkstech.blogspot.com > You Live by CHOICE, Not by CHANCE > > > 2009/10/4 Bob Jolliffe <[email protected]> > > Hi Saptarshi and all >> >> I see launchpad supports CVE framework but I haven't yet figured out how >> to link bugs to particular CVE. Anyway mostly these will refer to security >> vulnerabilities in the many libraries which we use. >> >> It seems we have not set up any way of tagging security related bugs at >> all. As an interrim I have created a "security" tag which we should use >> when there are reported bugs with security implications. When we report a >> bug we might adopt the convention that at the bottom of each and every bug >> report we add a section: >> >> Security Implications: None. >> >> Where these implications are not "None" we also tag the bug with the >> security flag. >> >> I am sure that many of our existing bugs should be tagged thus. There >> are 181 reported bugs currently (obviously many fixed). Maybe we should >> divide up the bug space and run through a set each - adding the Security >> Implications in each case. >> >> Would be great if we could create a template for bug reports. Has anyone >> any idea how this might be done? >> >> I am not sure if I can really stop what I am doing completely - I'm >> already battling with targets. But I'm happy to help out. >> >> We also need to appoint a security czar to coordinate and monitor and >> crack the whip when necessary. Any volunteers/nominations? I'm thinking you >> are emerging as the party with the most immediate interest. >> >> Also its worth noting that besides getting more serious about security >> within DHIS2 code base (which I fully support) I think the most serious >> vulnerabilities have resulted more from poor implementation practice, the >> lack of secure deployment guidelines and the lack of security policy >> guidelines for implementing agencies. >> >> Regards >> Bob >> >> 2009/10/4 Saptarshi Purkayastha <[email protected]> >> >> Hi Bob, Lars, >>> I cant see any CVE in launchpad. Has someone removed it?? Or has no one >>> reported any till now?? >>> If none have been reported till date, then I suggest we organize a >>> Security-a-thon quickly and then probably a Test-a-thon to improve our test >>> coverage. I think new features should wait for a while, until we get the >>> house in order... >>> >>> cc'ing this to the dev list so that all interested in a 2-3 day >>> security-a-thon should let their thoughts known... >>> >>> --- >>> Regards, >>> Saptarshi PURKAYASTHA >>> Director R & D, HISP India >>> Health Information Systems Programme >>> >>> My Tech Blog: http://sunnytalkstech.blogspot.com >>> You Live by CHOICE, Not by CHANCE >>> >>> >>> 2009/10/2 Bob Jolliffe <[email protected]> >>> >>> Thanks Lars - I eventually figured that out as well. >>>> >>>> Regarding security I think we can say the following: >>>> >>>> DHIS2 is a free software project and all the source code is subject to >>>> peer review by the the global Hisp team of developers, implementors and >>>> partners. As with other large software projects, security vulnerabilities, >>>> including those from the OWASP Top Ten are occasionally reported. All >>>> known >>>> security flaws are reported as bugs on >>>> https://bugs.launchpad.net/dhis2/+bugs where they are addressed openly >>>> and transparently. >>>> >>>> (if anybody has time to sift through and pick up on any security related >>>> bugs which have been fixed as examples it would reinforce the point). >>>> >>>> I am not sure if there is any point going through the 10 categories now >>>> and pointing out where DHIS might be lacking. It is an exercise of >>>> conjecture. If you can rather focus on the processes by which >>>> vulnerabilities are reported and addressed, I think it is more valid. The >>>> main vulnerabilities you are accountable for are the ones which are >>>> reported. >>>> >>>> In addition HISP India operates within the constraints of a high level >>>> security policy. >>>> >>>> There's quite a bit of stuff I did with Satvik around process. I'll >>>> look back - in particular there was some notes about secure installation >>>> guidelines which might be useful. Addresses some of ther issues around >>>> secure storage, imsecure configuration etc. Will try and drag it up. >>>> >>>> Then I must go and cast my vote regarding the Lisbon Treaty for Europe. >>>> I'm thinking I will vote against it ... >>>> >>>> Regards >>>> Bob >>>> >>>> >>>> >>>> >>>> 2009/10/2 Lars Helge Ă˜verland <[email protected]> >>>> >>>>> >>>>> >>>>> On Fri, Oct 2, 2009 at 10:33 AM, Bob Jolliffe >>>>> <[email protected]>wrote: >>>>> >>>>>> Hi I am a bit confused what is happening here between Saptarshi's mail >>>>>> and yours. As Lars says i am sure the HISP India team is available to >>>>>> address most things. In fact much of the functionality is specific to >>>>>> India >>>>>> anyway so it is only you who can describe. >>>>>> >>>>>> Regarding the "top 10 vulnerabilities listed on OWASP" : where are >>>>>> they? Saptarshi is it worth looking at them now at this late stage? >>>>>> Obviously if there are vulnerabilities we may not address them today but >>>>>> we >>>>>> can have an audit process to see that they are addressed. Whatever >>>>>> happened >>>>>> to Satvik ..... Anyway please send me a reference to them and I'll see >>>>>> if >>>>>> there is anything to be done. >>>>>> >>>>>> Regards >>>>>> Bob >>>>>> >>>>>> >>>>> I guess they are at the bottom here: >>>>> >>>>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project >>>>> >>>>> >>>> >>>> >>> >> >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp

