To Track & implement security features for Bahmni
...
Backlog
...
Description
...
Status
...
Dependency Check
...
Frontend (npm/yarn audit, snyk)
Backend (OWSAP Dep check, hawkeye, snyk)
Infra (Tfsec) ✅
Start with GithHub Actions (GoCD would be stretch)
...
| Status | ||||
|---|---|---|---|---|
|
...
Static code analysis
...
Validate code smells and security issues in CI pipeline (frontend, backend and infra)
...
| Status | ||||
|---|---|---|---|---|
|
...
Bahmni Security Agents
...
Context: We have lot of guidance documented for right security practices while installing Bahmni e.g. setting up right permission, root access etc. but currently there is no way to keep the respective implementation support / maintenance team informed about possible vulnerabilities.
Feature: Bahmni security agents would run on Linux machines (on-prem or cloud) where bahmni is installed and would scan for possible vulnerabilities with respect to
Policies (inappropriate permissions, root access etc)
Open ports
Libraries / Dependencies used by the application that have know vulnerabilities
OS Security updates missing
...
| Status | ||||
|---|---|---|---|---|
|
...
Implementation of secret scanners in our pipelines
...
As a part of TW SMP Implementation we need to implement secret scanner tools in all our pipelines to ensure no secrets are getting passed through it
...
| Status | ||||
|---|---|---|---|---|
|
...
Prepackaged Bahmni Secure Image for On-Prem
...
Pre packaged secure AMI for running Bahmni. Should support docker and non-docker version
...
| Status | ||||
|---|---|---|---|---|
|
...
Certificates
...
Document secure way to generate and manage certificates
...
| Status | ||||
|---|---|---|---|---|
|
...
Security Testing: OWASP Zap
...
Explore Bahmni security testing using OWASp ZAP
...
| Status | ||||
|---|---|---|---|---|
|
...
Patient Documents/Reports Encryption
...
Patient Documents/Reports which are stored on Cloud (S3/FileSystem/Connected Storage/etc), should be encrypted. This is needed due to the sensitivity of documents getting uploaded.
Consider encrypting individual documents
...
| Status | ||||
|---|---|---|---|---|
|
...
Mitigate default credentials risk
...
Current Bahmni is shipped with multiple default credentials with an expectation for implementors is to change it during installation. The Risk arise when the default creds remains unchanged trigging elevation of privilege threat.
The goal is to cleanup default creds from the codebase (e.g. .env docker-compose) and wiki And/Or leverage “Change password during first login” feature
...
Infrastructure
Firewall | Policy Management |
Bot Management | Certificates |
Policy | Secret/Token Management |
Data Security
Data encryption | Information Logging |
Data Authorization |
Application Security
Authentication | Authorization |
Logging and Auditing | User Identities |
Threat Protection
TLS | DDOS |
Information Disclosure |