Security Backlog

This document shares current curated security backlog with features and capabilities that are defined in Security Jira board. Please refer Bahmni Security Posture document to get a holistic perspective.

To update JIRA details below, please type “/JIRA“ under Documentation/JIRA column & search your Jira no, click Insert.
This will show the current status on Jira board.

 

Categories

Capabilities / Features

Documentation/JIRA

Bahmni Lite v 1.0 Release

Categories

Capabilities / Features

Documentation/JIRA

Bahmni Lite v 1.0 Release

1

Trivy Secret & Vulnerability Scanning

Analyze false positives or perform quick fixes on Critical vulnerabilities (First Pass)

BAH-2416: Analise false positives or perform quick fixes on Critical vulnerabilities reported by TrivyClosed

DONE

2

Perform Vulnerability check in CI (build) using Trivy and fail for Critical issues. Add secret scanning using Trivy in all Bahmni repositories

BAH-2193: [Security - Infra] Bahmni Agents - Secrets and Dependency Scanning using TrivyClosed

DONE

3

Machine / Node hardening

OpenSCAP for nodes / machine monitoring

BAH-2142: [Security - Infra] Bahmni Agents - OS Scanning - OpenSCAPClosed

DONE

4

Apply daily critical security updates automatically (e.g EC2)

BAH-2412: [SECURITY] Apply daily critical security updates automatically on nodesNeeds Assessment
BAH-2382: [Spike] Security updates on EKS Cluster nodesClosed

DEFERRED

5

Firewall

OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8s

BAH-2413: OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8sNeeds Assessment

DEFERRED

6

Document AWS WAF and Bot Management recommendation for Bahmni Lite

BAH-2414: Document Bot Management spikes & outcomesBacklog

DEFERRED

7

Security Quality Gates

Explore OWASP Zap for Bahmni Security Testing

BAH-1961: Security testing - Explore OWASP ZAP for BahmniNeeds Assessment

DEFERRED

8

Automate Static Code Analysis using DeepSource / SonarQube → Documentation

BAH-1958: [Security - Frontend] Static code analysis for linting, code smells and security issuesNeeds Assessment
BAH-1959: [Security - Backend] Static code analysis for code smells and security issuesReady for Development

DEFERRED

9

Data Protection

Protect patient documents behind Login (only for older RPM based installation since docker and k8s no longer have this issue)

BAH-2417: Protect patient documents behind LoginNeeds Assessment

Not APPLICABLE

10

Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patient Documents

BAH-2418: Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patients DocumentsNeeds Assessment

DEFERRED

11

Identity Management

Mitigate default credentials risk

  • Ensure Change password on first login e.g. superman

  • Remove default creds from code e.g. .env, values.yaml etc

BAH-1960: Cleanup default creds from code and WikiNeeds Assessment

DEFERRED

12

Cloud/Infra

Document recommendations on General Cloud hygiene

 

PARTIAL DONE

13

Document Approach on Reporting security incident (Slack, DL etc)

 

DONE

14

Source Code Fixes

Fix hip service critical vulnerabilities

BAH-2550: [Security]Fix hip service critical vulnerabilities Closed

ABDM DONE

15

Fix hiu backend critical vulnerabilities

BAH-2551: [Security] Fix hiu backend critical vulnerabilities Closed

ABDM DONE

16

Fix hiu-ui critical vulnerabilities

https://bahmni.atlassian.net/browse/BAH-2552

ABDM DONE

17

Fix critical vulnerabilities in ABHA verification repo.

https://bahmni.atlassian.net/browse/BAH-2553

ABDM DONE

18

Fix critical vulnerabilities in Hiu-db code

https://bahmni.atlassian.net/browse/BAH-2554

ABDM DONE

19

Fix Critical Vulnerabilities in Appointments, Bahmni-lab, Bahmni-web, implementer-interface and patient-Documents images/jars

https://bahmni.atlassian.net/browse/BAH-2557

required DONE

20

Fix Critical Vulnerabilities in the crater-atomfeed repo

https://bahmni.atlassian.net/browse/BAH-2786

required DONE

 

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)