Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cyber Security and Open Source Community Call Webex: https://osehra.webex.com/osehra/onstage/g.php?M TID=ed80e9e1ef7191574fe28dc5f063d03ed Call-in number: 1-650-479-3207 Access code: 661 832 679 1:00 pm (Eastern) Wednesday, March 23, 2016 Seong K. Mun, PhD Don Hewitt, CISSP OSEHRA Arlington, Virginia Agenda Specific Questions and Lead Volunteers Workgroup Reports Question Question Question Question 1 1 3 4 Work Schedule Any Questions or Comments? Please Note: Calls are Recorded for Future Reference and Collected Documents are Open 2 Cybersecurity Workgroup • OSEHRA Cybersecurity Workgroup https://www.osehra.org/groups/cybersecurity-and-open-source • Onboarding 1. 2. Join OSEHRA as an Associate member (free) Join Cybersecurity Workgroup to receive meeting notice and minutes. • Workgroup Resources (located at the Group homepage) – – – – Section Leaders Reference Documents List Draft Response Documents Members • Weekly Call Meetings (Weekly: Wed, 1:00 PM Eastern) – Webex: https://osehra.webex.com/osehra/onstage/g.php?MTID=ed80e9 e1ef7191574fe28dc5f063d03ed Call-in number: 1-650-479-3207, Access code: 661 832 679 3 Need Lead Volunteers 1. Does the open source community have a focus on cyber security? Mun - OSEHRA 2. Are projects to enhance cybersecurity proposed to OSEHRA by the open source community? If so, have any been completed? Hewitt – OSEHRA 3. Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? Hilburger – Redhat 4. What is the relationship of OSEHRA certification to cybersecurity? Hewitt - OSEHRA 4 (Q1) Focus on Cyber Security • OSEHRA does not (yet) • Some examples in greater OS community – http://www.open-scap.org/ • Available OS Security Resources – NIST – DHS 5 (Q2) Open Source Projects • Previous special project for vulnerability remediation – M2M Broker Vulnerability – Joint effort, closed project group under non-disclosure – Precedent and process established • No project proposals for explicit security upgrades • Project Metron and Apache NiFi proposed as items of interest • VA has proposed an open source project for a code scanning tool (similar to HP Fortify) for M code – OSEHRA recommends enhancing the existing Xindex tool rather than starting from scratch – Most effective approach would be a funded community open source project 6 (Q3) – Red Hat Reporting • Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? 7 8 9 10 11 12 (Q4) Certification What is the relationship of OSEHRA Certification to cyber security? Brief answer: OSEHRA Certification is intended as a prerequisite for, not a replacement of, the in-depth testing required for specific implementations. As such, while specific tools may be run during code review, OSEHRA does not intend to certify the security of code. However… 13 (Q4) Certification Components 14 (Q4) SAC Checking • Standards and Conventions Compliance – Critical aspect of security – Dependent upon quality / breadth of SAC rule base – Example: scope checking • Susceptible to use of scanning tools – Fortify – Xindex (currently limited) 15 (Q4) Code Review • Major advantage of open source – More eyes on code is better – Security through obscurity is a myth • Proper facilitation is key – Bugs – Possible improvements – Possible (or definite) vulnerabilities • Documented issues and results 16 (Q4) Regression Testing • Continuous Unit Testing – Emergent best practice – Critical part of defense in depth – Required for higher OSEHRA certification levels • M-Unit available for M code 17 (Q4) Summary • No overt security certification by OSEHRA • Substantial contribution to security of incoming open source code – Use of automated scan tools – Open code review – Requirement for unit tests • As tools improve (e.g. Xindex), OSEHRA contribution to security will increase 18 Workgroup Schedule • Weekly Calls 1:00 PM (Eastern) – Volunteer Leaders Will Facilitate • Wednesday, March 30 • Wednesday, April 6 • Wednesday, April 13– SUBMISSION TO VA 19 Closing… • Thoughts? • Comments? • Questions? 20 Adjournment