-
Notifications
You must be signed in to change notification settings - Fork 36
Security Areas of Concern
Dan Cunningham edited this page Oct 31, 2015
·
2 revisions
Areas of concern and potential vulnerabilities:
- openmrs_setup script chmod’s a directory to 777 and puts a
utils.shfile there - use of strong root passwords and control of who has access to them (especially for servers with real patient data on them)
- use of shared and weak OpenMRS log-in credentials and who has access to them (especially for servers with real patient data on them)
- profile loading includes javascript that is run in a webview on the client
- no client input validation (@rodrigo - where are you referring to? the ODK forms? or somewhere else?)
- is data encrypted in server at database or filesystem level?
- is data secure in the air? do tablets talk to server via SSL?
- is SQL Lite database encrypted on tablets at database or filesystem level?
- PIN to unlock tablets? (at Android OS level)
- PIN within app to log in as a user?
- Automatic log out after a period of inactivity?
- Who has real patient data on tablets?
- Access to Google Compute Engine machine with real patient data
- Documents stored in Google Drive
- Documents stored in Dropbox
- Documents shared on Slack
- Documents/photos stored locally on cameras, laptops, harddrives, USB sticks, tablets, mobiles?
About the software
System Overview
Client Application
Server Application
Server Platform
Development practices
GitHub Usage
Java Style
Testing
Releases
For field users and testers
Software Install and Configuration
Upon Receiving Your Gear
Setting Up a Tablet
Setting Up a Server
Setting Up an Access Point
Reference Configuration