Stream: Security and Privacy
Topic: Security Jira Tasks
Grahame Grieve (Dec 01 2021 at 00:17):
https://jira.hl7.org/browse/FHIR-34400
Grahame Grieve (Dec 01 2021 at 00:22):
and https://jira.hl7.org/browse/FHIR-34401
John Moehrke (Dec 01 2021 at 12:18):
I presume the FHIR Program Manager and FMG will be driving FHIR-34401? It seems like a bigger function than security wg.
John Moehrke (Dec 01 2021 at 12:28):
I find FHIR-34400 an odd thing for a specification to mention, as it would always be a factual statement about any specification. Is the main goal to give more visibility to security defensive design tools like OWASP? That is a worthy goal, I would add that we also point at security defensive design guidance from TLS, and OAuth. Possibly we should/could have CERT and Mitre/CVE guidance pointers as well. So, I like the goal, it just seems the hook "Significant vulnerabilities have been found in FHIR Implementations in operational systems" is a bit odd. I just find it odd, but I do agree it would be eye opening, one might say it burns the eyes like fire.
Grahame Grieve (Dec 01 2021 at 12:33):
yes driving the functionality implied by 34401 would the job of CHIMPO and the product management groups.
Grahame Grieve (Dec 01 2021 at 12:35):
I don't mind if you want to word smith 34400 a bit - I just note that searching 'FHIR security' lands you at that page first, and so I want to get in people's faces that they need to take security seriously, and to reference oWASP at least. Happy to reference other sources of information and guidance, as long as it's crisp.
John Moehrke (Dec 01 2021 at 12:38):
Im hoping the community helps us word smith... like I said, it just seems like an odd statement for ANY specification
Last updated: Apr 12 2022 at 19:14 UTC
