Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-34400

Security Page should mention oWASP page up front

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Very High Very High
    • FHIR Core (FHIR)
    • R4
    • Security
    • Security
    • Hide

      change the paragraph to http://build.fhir.org/secpriv-module.html#security

       mention of mobile owasp to go to just the root of owasp.    [OWASP](https://owasp.org/)

      add paragraph

      Recent evidence indicates lack of implementer attention to addressing common security vulnerabilities emphasized by [OWASP top 10 API](https://owasp.org/www-project-api-security/).   Reviewing the [OWASP Top Ten](https://owasp.org/www-project-top-ten/). [OWASP mobile top 10](https://owasp.org/www-project-mobile-top-10/) and ensuring those vulnerabilities are mediated is important for good security.

      Show
      change the paragraph to http://build.fhir.org/secpriv-module.html#security  mention of mobile owasp to go to just the root of owasp.     [OWASP] ( https://owasp.org/ ) add paragraph Recent evidence indicates lack of implementer attention to addressing common security vulnerabilities emphasized by [OWASP top 10 API] ( https://owasp.org/www-project-api-security/ ).   Reviewing the  [OWASP Top Ten] ( https://owasp.org/www-project-top-ten/ ). [OWASP mobile top 10] ( https://owasp.org/www-project-mobile-top-10/ ) and ensuring those vulnerabilities are mediated is important for good security.
    • Kathleen Connor / Julie Maas: 8-0-0
    • Clarification
    • Compatible, substantive
    • R5

    Description

      The security page should contain a clearly marked box that says:

      Significant vulnerabilities have been found in FHIR Implementations in operational systems. These vulnerabilities have mainly been caused by poor implementation practices, not folllowing well documented security practices such as by organisations like [oWASP](https://owasp.org/). All FHIR implementers should be familiar with oWASP recommendations and follow their recommendations carefully. 

       

      or something like that. Once approved for R5 by the security committee, I'll make this is as a technical correction to R4 (upon approval from CTO/CSO)

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            GrahameGrieve Grahame Grieve
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: