Cyber Security and Open Source Community Call Summary

Similar documents
BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Department of Veterans Affairs. Open Source Electronic Health Record Services

Creating Value through Innovative IT Auditing

Frontiers in Cyber Security: Beyond the OS

Department of Veterans Affairs VA DIRECTIVE 6402

High Availability of VistA EHR in Cloud. ViSolve Inc. White Paper February

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Product Build. ProPath. Office of Information and Technology

Cybersecurity in a Mobile IP World

IT-CNP, Inc. Capability Statement

ivos Technical Requirements V For Current Clients as of June 2014

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Open Source Software Project Management A Case Study Red Hat Enterprise Linux. Bob Johnson, Red Hat

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

What is Really Needed to Secure the Internet of Things?

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

The Operating System Lock Down Solution for Linux

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009

Tips and Best Practices for Managing a Private Cloud

VMware vcenter Update Manager Administration Guide

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

VA Medical Device Protection Program (MDPP)

Electronic Health Record System (EHR) Project. Request for Information RFI-CDVA Attachment 5 Statement of Work 2 Maintenance & Operations

BMC Client Management - SCAP Implementation Statement. Version 12.0

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Applying Software Quality Models to Software Security

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Patch and Vulnerability Management Program

Cisco Unified Communications Remote Management Services

Federal Desktop Core Configuration (FDCC)

Storage Capacity Management for Oracle Databases Technical Brief

CYBERSPACE SECURITY CONTINUUM

Shipping Products Chart. Contents

Practical Applications of Software Security Model Chris Nagel

High End Information Security Services

BSM for IT Governance, Risk and Compliance: NERC CIP

Outsource IT Services

An Esri White Paper January 2010 ArcGIS Server and Virtualization

Dynamic Service Desk. Unified IT Management. Solution Overview

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

CONTINUOUS INTEGRATION

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

HP Fortify Software Security Center

Automated Patch Management Service

Office of Information and Technology 2015 National Veterans Small Business Engagement

Content Distribution Management

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Application Code Development Standards

Enabling IT Agility with an Open Hybrid Cloud

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Integrating Physical Protection and Cyber Security Vulnerability Assessments

Carahsoft End-User Computing Solutions Services

CA Client Automation

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

Symantec Client Management Suite 7.6 powered by Altiris technology

RHEL source and binary code Software documentation Major Releases - Minor Releases Errata Access to the Red Hat Network

Penetration Testing Services. Demonstrate Real-World Risk

VMware vcenter Update Manager Administration Guide

Enhancing Your Network Security

Problems and Measures Regarding Waste 1 Management and 3R Era of public health improvement Situation subsequent to the Meiji Restoration

HP Security Assessment Services

Why. Control System Cyber Security Sucks. CERN Control Centre. CERN Computer Centre

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Symantec Client Management Suite 8.0

National Cybersecurity Assessment and Technical Services: Capability Brief. Presented by: Sean McAfee Updated: May 5, 2014

Dynamic Kernel Module Support. Matt Domsch, Software Architect Dell, Inc.

Track 2: Introductory Track PREREQUISITE: BASIC COMPUTER EXPERIENCE

Chapter 9 Software Evolution

Workshop & Chalk n Talk Catalogue Services Premier Workshop & Chalk n Talk Catalogue

Transcription:

Cyber Security and Open Source Community Call Summary April, 2016 Seong K. Mun, PhD Don Hewitt OSEHRA Arlington, Virginia

Cybersecurity Workgroup Ad Hoc group to address questions posed by VA OSEHRA Cybersecurity Workgroup - https://www.osehra.org/groups/cybersecurity-and-opensource Weekly Call Meetings held to discuss issues Summary in this briefing Will be followed by establishment of a VA Technical Working Group (TWG) on VistA Security Will operate under OSEHRA s VA contract Community participation will be invited 2

Key Questions from VA 1. Does the open source community have a focus on cyber security? 2. Are projects to enhance cybersecurity proposed to OSEHRA by the open source community? If so, have any been completed? 3. Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? 4. What is the relationship of OSEHRA certification to cybersecurity? 3

(Q1) Focus on Cyber Security OSEHRA has not (yet) Implementer has ultimate responsibility for security Open source code delivered as-is Community focus on tools Some examples of open source projects in greater OS community http://www.open-scap.org/ 4

(Q2) Open Source Projects Previous special project for vulnerability remediation M2M Broker Vulnerability Joint effort, closed project group under non-disclosure Precedent and process established No project proposals for explicit security upgrades VA has proposed an open source project for a code scanning tool (similar to HP Fortify) for M code OSEHRA recommends enhancing the existing Xindex tool rather than starting from scratch Most effective approach would be a funded community open source project 5

(Q3) Red Hat Reporting Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? 6

Securing Open Source Code - Red Hat Open Source Linux Community Open Source Compiled within Red Hat Automated Tamper Proof Build Code Scanned System, People (Supply Chain Management) Hardware Based Crypto Keys Testing and Certification Secure Content Delivery Secure Delivery End User Customer Open Source Projects for Cybersecurity Tools Open Source Cybersecurity Tools OS Community Innovation Productization OS Commercial Product

Open Source EHR Community Securing VistA - VA Open Code Review OSEHRA Certification Open Source VA: OI&T Compiled within VA Network VA Testing and Certification Automated Tamper Proof Build Code Scanned System, People (Supply Chain Management) Hardware Based Crypto Keys Secure Content Delivery Secure Deliver y Open Source Projects for Cybersecurity Tools Open Source Cybersecurity Tools OS Community Innovation Productization OS Commercial Product

(Q4) Certification What is the relationship of OSEHRA Certification to cyber security? Brief answer: OSEHRA Certification is intended as a prerequisite for, not a replacement of, the in-depth testing required for specific implementations. As such, while specific tools may be run during code review, OSEHRA does not intend to certify the security of code. However 9

(Q4) Certification Components 10

(Q4) SAC Checking Standards and Conventions Compliance Critical aspect of security Dependent upon quality / breadth of SAC rule base Example: scope checking Susceptible to use of scanning tools Fortify (but not for M code) Xindex (covers M code, but currently limited) 11

Current Status The XINDEX tool developed by VA is the only current MUMPS code scanning tool in use. XINDEX is a Mumps routine which parses and analyzes all the routines in VistA install. The analysis includes a variety of useful information, including: Errors and warnings for the code based on MUMPS language and VA SAC (The Department of Veterans Affairs M Programming Standards and Conventions) List of all calls to other routines List of calls within the routine Global and naked global usage in the routine Local variable usage in the routine OSEHRA utilized XINDEX as part of its certification process on VA Gold Disk support project.

Challenges MUMPS expertise increasingly scarce Declining even within VA Scattered pockets of expertise in community Code base continually evolving Continuing development and bug fixes Fileman being changed during intake

(Q4) Code Review Major advantage of open source More eyes on code is better Security through obscurity is a myth Proper facilitation is key Bugs Possible improvements Possible (or definite) vulnerabilities Documented issues and results 14

(Q4) Regression Testing Continuous Unit Testing Emergent best practice Critical part of defense in depth Required for higher OSEHRA certification levels M-Unit available for M code Newest version in OSEHRA repository Certified to OSEHRA Level 4 15

(Q4) Summary No overt security certification by OSEHRA Substantial contribution to security of incoming open source code Use of automated scan tools Open code review Requirement for unit tests As tools improve (e.g. Xindex), OSEHRA contribution to security will increase 16

Contact: Don Hewitt hewittd@osehra.org (571) 858-3376

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information