2023-10 - Comprehensive Security Assessment of the openIMIS Web Application through Penetration Testing

Owned by Harry Larbi
Apr 16, 2024
3 min read

Overview

Date

2024-02-01

Status

wip

Release

https://openimis.atlassian.net/wiki/spaces/OP/pages/3594387457

TestType

Security Assessment- Penetration Testing

TestTopic

Security

Context

https://openimis.atlassian.net/wiki/spaces/OP/pages/3531407380

Tester

Harry Larbi

 

 

A01

WIP

https://openimis.atlassian.net/wiki/spaces/OP/pages/3590291457

A02

WIP

A03

WIP

A04

WIP

A05

WIP

A06

WIP

A07

WIP

A08

WIP

A09

WIP

A10

WIP

Introduction

As healthcare systems transition towards digital platforms for record-keeping and patient management, the volume and complexity of sensitive data stored within these systems continue to grow. This makes them prime targets for cyber attackers seeking to exploit vulnerabilities for financial gain or malicious intent.

In light of these advancements, safeguarding software systems handling healthcare data is not just a matter of compliance or best practice; it's a critical component of ensuring the continuity and integrity of healthcare services in our modern world. So prioritizing security measures and also, adopting robust cybersecurity protocols, we can mitigate risks, protect patient privacy, and also uphold trust in healthcare systems within the evolving digital space.

The Comprehensive Security Assessment of the openIMIS Web Application through Penetration Testing is a master’s thesis by @Harry Larbi, of the Offenburg University of Applied Sciences, aimed at evaluating the security posture of the openIMIS web application. This project focuses on identifying potential vulnerabilities and security weaknesses within the openIMIS system, employing industry-standard penetration testing methodologies and tools and further discuss the architecture behind the Dynamic Application Security Testing Tools and their effectiveness and efficiency in vulnerability exploration and detection. It is supervised by Prof. Dr. Dirk Westhoff, Dean of Studies, Enterprise and IT-Security (ENITS), Offenburg University of Applied Sciences and @Uwe Wahser IT Specialist from the openIMIS Cordination Desk as external supervisor.

Objective

The primary objective of this project is to conduct a thorough security assessment of the openIMIS web application to identify and mitigate potential vulnerabilities and security weaknesses. By performing penetration testing and vulnerability analysis, the project aims to enhance the overall security posture of the openIMIS system, ensuring the confidentiality, integrity, and availability of sensitive data.

Methodology

The penetration testing approach will be blackbox, however, for authentication aspects of the application, the testing approach will be greybox. The methodology for the Penetration Testing and Security Assessment of openIMIS project involves the following steps:

  1. Environment Setup: Installation of openIMIS on a Windows 11 platform using Docker containers for scalability. Configuration of Kali Linux on a virtual machine using VirtualBox with network bridging for penetration testing purposes.

  2. Vulnerability Scanning (Automated Scan): Utilization of Nessus (a Dynamic Application Security Testing DAST tools), a vulnerability scanner, to conduct a deep assessment of the openIMIS system and generate an advanced vulnerability assessment report.

  3. Web Application Analysis (Manual Testing): Use of Burp Suite for a detailed analysis of the openIMIS web application, focusing on identifying potential vulnerabilities such as injection flaws, cryptographic failures, and other web-related exploits.

  4. The evaluation of OpenIMIS will be conducted in accordance with the best practices outlined by the Open Web Application Security Project (OWASP).

  5. Reporting: Documentation of findings and analysis, including mitigation recommendations, in a comprehensive report to be presented as part of the thesis.

Research Questions - Literature Review

RQ1: What is the architecture utilized by Dynamic Application Security Testing tools employed in penetration testing?

In exploring the architecture of Dynamic Application Security Testing (DAST) tools for penetration testing, my goal is to explain how these tools work to find vulnerabilities in web applications

 

 RQ2: How effective and efficient are DAST tools in vulnerability exploration and detection?

I'll explore how different parts of the tool, like the scanning engine and crawling module, work together or interact to find vulnerabilities accurately and promptly.

RQ3: Is relying solely on DAST tools (Automatic Testing) for security assessment adequate, or is manual testing essential for security experts to ensure comprehensive evaluation?

To answer this key research question R3, the outcome of the automated testing conducted together with the exploration of research questions R1 and R2, which entails inquiries into the architecture of Dynamic Application Security Testing (DAST) tools and their effectiveness and efficiency will be compared to the result of the manual assessment. Through this comparison, the most effective approach will be deduced.

Outcome

The expected outcome of this project is to provide insights into the security posture of the openIMIS web application, highlighting vulnerabilities and weaknesses that require remediation. By conducting thorough penetration testing and security assessment, this research work aims to contribute to the improvement of the overall security of the openIMIS web application, ensuring its resilience against potential cyber threats and ultimately, to improve cybersecurity practices by encouraging the use of DAST tools (Automated Testing) together with Manual Testing in Security Assessment to increase confidence in Reports from Security professionals.

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/