The latest penetration test of OpenCRVS was performed by GoFore - NORAD's preferred security testing provider. GoFore Plc conducts security assessments for public and private organisations in the form of white hat penetration testing (aka ethical hacking) to simulate an adversary attacking the system and identifying vulnerabilities that may be exploited to compromise data confidentiality, integrity and availability.
Gofore pentesters utilise proven pentesting methods of code review, automated enumeration scans via the public internet, fuzzing with diverse input, and manual tests. The security assessment was conducted in two rounds, first to identify and report vulnerabilities, and then reassessed to ensure reported vulnerabilities were resolved.
"Already from the results of the first assessment, it was evident that the OpenCRVS web application had a good security posture. The web application security fundamentals were sound."GoFore Cyber Security Consultant
Our mobile application and microservices are secure, protected by 2-Factor Authentication utilising OAuth JWT best practices. 2FA codes are sent to the user's mobile device in order log in. These codes time out after 5 minutes preventing brute force attack and ensuring only authenticated users with access to authenticated hardware can access OpenCRVS.
User types and access controls are managed in order to segregate personally identifiable data to only to the users who need it. These user types can be set up in the Team GUI accessible by National and Local System Administrators. Every access to a specific declaration or registration is audited in order to track who viewed the data thus protecting citizen rights.
All OpenCRVS data is encrypted in transit and at rest. OpenCRVS includes daily, automated, external back up as a configurable option in our Ansible script. The Ansible script automatically provisions a secure firewall to OpenCRVS on each node.