Automated testing of known security vulnerabilities of EHDEN tools

[SulevR]

Motivations

By our Security Policy draft, the tools that are used by EHDEN for providing Services must conform to a basic level of security such as OWASP Top 10. Though EHDEN is not responsible for the development and executions of all these tools, EHDEN shall ensure that these tools are tested to conform to a basic level of security.

Therefore, we do need at least some automated testing for ensuring that no common security vulnerabilities are found from these tools.

Proposal for Implementation

Erasmus MC has some experience in running Netsparker automated tests towards our web applications. It was quite easy to run and:

• Netsparker keeps their security tests/list of known vulnerabilities/recommendations up-to-date for different technologies. This would be a huge work if we had to do this by ourselves. Therefore, it seems to be a good idea for me to run these tests regularly against our systems.
• Their report is crisp and easy to read, and most important - contains clear recommendations and also links to related standards.

Contributions

Describe how community members can contribute

Someone has to install Netsparker (and pay the licence fee) and run the automated tests regularly and respond to the findings. One option is to just forward the findings to the tool developers.

• Refresh License
• Perform test runs -> ongoing
• Create private security repository to log issues -> EHDEN/Security
• Link the findings to Github Repository -> waiting for Netsparker support
• Run full check on sites

Describe which persons are committed to implement

• EMC has obtained the license and has setup a VM that runs the tests.
• EMC will setup the system
• Security task members need to provide input in the settings (led by Utartu?)

[PRijnbeek]

This tool development was agreed upon in the WP4 team and is moved to In Progress