Hi,
There have been some concerns regarding CVE (Common Vulnerabilities and Exposures) notifications that have been issued recently.
For your information, this follows a security audit that was conducted with the support of the LUMC by a third-party, independent security consulting company. This audit not only covered the (always evolving) recommendations of the OWASP foundation but also explored potential functional vulnerabilities. The general impression from this security company is that Opal is very secure relative to the complexity of the software. Nevertheless, some issues were identified and, after a fixed version of Opal was released, I decided to publish the CVE notifications for transparency.
The conclusion is that Opal is a very secure software, as attested by this security audit company. Please follow the general recommendation of keeping your Opal installation updated. Opal has an integrated mechanism for performing internal data upgrades, so it has always been safe to simply update the version number and restart the system.
Regards
Yannick
1 Like
Hi Yannick!!! Thank you for sharing this important information, and also for your transparency.
I think this should be seen not as a problem or limitation, but rather as an opportunity or even an advantage. If we can have this report available openly and share it with the centers that ask us about using DataSHIELD/Opal, it would be great news to help overcome the bureaucratic barriers we often face.
After this analysis done by the external company, will they repeat it with the newer versions where these vulnerabilities have been addressed?
Having access to this report would be a big step forward in adopting DataSHIELD in more centers. In fact, I’m about to take a big step in Africa with our dsOMP library (I’ll tell you more about it soon), and I think having this information would be very relevant.
Best
Juan
Hi Juan,
As the acceptance tests were positive, Obiba is starting a long term collaboration to support the deployment of the solution at the LUMC. There will be regular security audits. I don’t think the security report can be released publicly.
Perhaps the Datashield group could have a discussion about commissioning external security audits? The resulting reports could be shared with collaborators when requested.
Regards
Yannick