OpenMRS Security Assessment 1

From Foss2Serve
Revision as of 18:05, 17 August 2015 by Scrain (Talk | contribs)
Jump to: navigation, search



Description Help students gather information from the OpenMRS community in preparation for a security assessment.
Source Steven P. Crain
Prerequisite Knowledge Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process.
Estimated Time to Completion 4 hours
Learning Objectives
  1. Students gain familiarity with how the HFOSS communicates.
  2. Students learn to search for information that is relevant to a security assessment.
  1. OpenMRS Website
  1. OpenMRS Developers' Forum talk about web application security
Rights Creativecommons-by-nc-sa-40.png This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Turn In



This assignment is the first in a series of risk assessment assignments for OpenMRS. You will be analyzing the documentation of this open source project in order to prepare for the following assignments. You are encouraged to complete this assignment with a partner. Teams of of 1–3 students are acceptable.

For this assignment, you will be creating a well-written (10 pts) risk assessment document. The directions below direct you to explore a number of different questions. You are expected to directly address each of these questions in your document, with references to specific pages and resources at OpenMRS. Remember to include the names of all group members in the document.

Risk Exposure (10 pts)

Using the OpenMRS website determine what kinds of organizations use the OpenMRS product. How likely are these kinds of organizations to be specifically targeted? If the product were used more extensively in the United States, how would that change the risk exposure?

Risk Appetite (10 pts)

Listen to the discussion on security in the Dec. 4, 2014 Developers' Talk. (This link works fine on Windows computers, but did not work on a Linux computer, so you may need to hunt for a machine where you can watch it. I did not find that the screencast version added much over the audio-only version.) Pay special attention to the questions and answers portion that starts at about 35 minutes into the recording. What is the typical attitude that users of OpenMRS have towards security risk?

Risk Assessment Boundary (20 pts)

We will be limiting our risk assessment to the OpenMRS database (database layer), API (service layer) and reference Webapp. Read the introductory documentation and describe this risk assessment boundary in more detail in your document. You should use at least 4 paragraphs for this section of your document, an initial paragraph that describes the boundary at a relatively high level and then a paragraph for each of the main components in the boundary (database, API and Webapp). Optionally, you may include an extra module in your boundary for extra credit.

Assets (20 pts)

Based on the Developers' Talk and searches in the OpenMRS documentation, identify the important assets of an OpenMRS installation. Remember to include anything that is critical for the operations of an organization using OpenMRS and also anything that would be useful to an attacker. The Implementer Guide is fairly dense, but contains significant information about assets.

Remember to include hardware assets, data assets, functionality assets, communication assets and human assets, unless any of these categories is insignificant for OpenMRS users.

For each asset, identify how detrimental it would be to the organization if it were compromised or made unusable.

Existing Controls (20 pts)

Search the OpenMRS documentation for information about the existing security controls and plans for enhancement. In your document, state how you searched for this information and summarize what you found out.

Make a list of questions that you would like answered, based on the Developer's Talk you listened to and the other documentation you have read. The questions can be related to who uses the product, reported threats, architecture, existing controls, or anything else you might need to complete the security risk assessment in later assignments. You should have at least 3 questions.

Executive Summary (10 pts)

Add an executive summary at the start of the document. It should provide the main findings of your risk assessment so far in non-technical language. Executive summaries are a critical part of any business document, because the top executives of a company want to get the important facts quickly without reading a long report.


You may work in groups of 1 to 3 students, but 2 students is recommended. I recommend that you divide the work. For this assignment, you may talk to other students for help accessing the resources needed to complete the assignment, but you should not discuss the details of your assessment.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License


Personal tools
Learning Resources
HFOSS Projects