Security Backlog
- Nouman Memon
- Gurpreet Luthra
- Himabindu Thungathurty
This document shares current curated security backlog with features and capabilities that are defined in Security Jira board. Please refer Bahmni Security Posture document to get a holistic perspective.
To update JIRA details below, please type “/JIRA“ under Documentation/JIRA column & search your Jira no, click Insert.
This will show the current status on Jira board.
Categories | Capabilities / Features | Documentation/JIRA | Bahmni Lite v 1.0 Release | |
|---|---|---|---|---|
| 1 | Trivy Secret & Vulnerability Scanning | Analyze false positives or perform quick fixes on Critical vulnerabilities (First Pass) | DONE | |
| 2 | Perform Vulnerability check in CI (build) using Trivy and fail for Critical issues. Add secret scanning using Trivy in all Bahmni repositories | BAH-2193: [Security - Infra] Bahmni Agents - Secrets and Dependency Scanning using TrivyClosed | DONE | |
| 3 | Machine / Node hardening | OpenSCAP for nodes / machine monitoring | BAH-2142: [Security - Infra] Bahmni Agents - OS Scanning - OpenSCAPClosed | DONE |
| 4 | Apply daily critical security updates automatically (e.g EC2) | BAH-2412: [SECURITY] Apply daily critical security updates automatically on nodesNeeds Assessment | DEFERRED | |
| 5 | Firewall | OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8s | DEFERRED | |
| 6 | Document AWS WAF and Bot Management recommendation for Bahmni Lite | DEFERRED | ||
| 7 | Security Quality Gates | Explore OWASP Zap for Bahmni Security Testing | BAH-1961: Security testing - Explore OWASP ZAP for BahmniNeeds Assessment | DEFERRED |
| 8 | Automate Static Code Analysis using DeepSource / SonarQube → Documentation | BAH-1958: [Security - Frontend] Static code analysis for linting, code smells and security issuesNeeds Assessment | DEFERRED | |
| 9 | Data Protection | Protect patient documents behind Login (only for older RPM based installation since docker and k8s no longer have this issue) | BAH-2417: Protect patient documents behind LoginNeeds Assessment | Not APPLICABLE |
| 10 | Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patient Documents | DEFERRED | ||
| 11 | Identity Management | Mitigate default credentials risk
| BAH-1960: Cleanup default creds from code and WikiNeeds Assessment | DEFERRED |
| 12 | Cloud/Infra | Document recommendations on General Cloud hygiene |
| PARTIAL DONE |
| 13 | Document Approach on Reporting security incident (Slack, DL etc) |
| DONE | |
| 14 | Source Code Fixes | Fix hip service critical vulnerabilities | BAH-2550: [Security]Fix hip service critical vulnerabilities Closed | ABDM DONE |
| 15 | Fix hiu backend critical vulnerabilities | BAH-2551: [Security] Fix hiu backend critical vulnerabilities Closed | ABDM DONE | |
| 16 | Fix hiu-ui critical vulnerabilities | ABDM DONE | ||
| 17 | Fix critical vulnerabilities in ABHA verification repo. | ABDM DONE | ||
| 18 | Fix critical vulnerabilities in Hiu-db code | ABDM DONE | ||
| 19 | Fix Critical Vulnerabilities in Appointments, Bahmni-lab, Bahmni-web, implementer-interface and patient-Documents images/jars | required DONE | ||
| 20 | Fix Critical Vulnerabilities in the crater-atomfeed repo | required DONE |
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)