Security Backlog

This document shares current curated security backlog with features and capabilities that are defined in Security Jira board. Please refer Bahmni Security Posture document to get a holistic perspective.

To update JIRA details below, please type “/JIRA“ under Documentation/JIRA column & search your Jira no, click Insert.
This will show the current status on Jira board.

 

Categories

Capabilities / Features

Documentation/JIRA

Bahmni Lite v 1.0 Release

Categories

Capabilities / Features

Documentation/JIRA

Bahmni Lite v 1.0 Release

1

Trivy Secret & Vulnerability Scanning

Analyze false positives or perform quick fixes on Critical vulnerabilities (First Pass)

https://bahmni.atlassian.net/browse/BAH-2416

DONE

2

Perform Vulnerability check in CI (build) using Trivy and fail for Critical issues. Add secret scanning using Trivy in all Bahmni repositories

https://bahmni.atlassian.net/browse/BAH-2193

DONE

3

Machine / Node hardening

OpenSCAP for nodes / machine monitoring

https://bahmni.atlassian.net/browse/BAH-2142

DONE

4

Apply daily critical security updates automatically (e.g EC2)

https://bahmni.atlassian.net/browse/BAH-2412

DEFERRED

5

Firewall

OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8s

DEFERRED

6

Document AWS WAF and Bot Management recommendation for Bahmni Lite

DEFERRED

7

Security Quality Gates

Explore OWASP Zap for Bahmni Security Testing

DEFERRED

8

Automate Static Code Analysis using DeepSource / SonarQube → Documentation


DEFERRED

9

Data Protection

Protect patient documents behind Login (only for older RPM based installation since docker and k8s no longer have this issue)

Not APPLICABLE

10

Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patient Documents

DEFERRED

11

Identity Management

Mitigate default credentials risk

  • Ensure Change password on first login e.g. superman

  • Remove default creds from code e.g. .env, values.yaml etc

DEFERRED

12

Cloud/Infra

Document recommendations on General Cloud hygiene

 

PARTIAL DONE

13

Document Approach on Reporting security incident (Slack, DL etc)

 

DONE

14

Source Code Fixes

Fix hip service critical vulnerabilities

ABDM DONE

15

Fix hiu backend critical vulnerabilities

ABDM DONE

16

Fix hiu-ui critical vulnerabilities

ABDM DONE

17

Fix critical vulnerabilities in ABHA verification repo.

ABDM DONE

18

Fix critical vulnerabilities in Hiu-db code

ABDM DONE

19

Fix Critical Vulnerabilities in Appointments, Bahmni-lab, Bahmni-web, implementer-interface and patient-Documents images/jars

required DONE

20

Fix Critical Vulnerabilities in the crater-atomfeed repo

required DONE

 

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)