We’re evaluating the security posture of our deployment and are considering making our site publicly accessible. As part of this process, we’d like to know:
Has the CHT platform ever undergone formal penetration testing or third-party security audits?
If so, are the results or summaries of those assessments available for review?
We’re trying to balance accessibility with security. Our reliance on APN SIMs brings significant operational overhead, and we’ve recently experienced some unexpected downtime without warning, which disrupted service.
Any documentation or insight into past security evaluations would be greatly appreciated - it will help us make a more informed decision.
We did work with Rapid7 using their InsightAppSec tool back in 2021. As well, we have on-going, automate scans by GitHub’s dependabot for every new pull request.
We also were looking to do more holistic automated penetration testing, this effort has slowed as internal resources have been reallocated and spread thin.
Any time there’s a security related issue, it gets the “Security” label. Most recently, in CHT 4.17 we pushed a security feature to require users to change their passwords on first login. As well,
Anecdotally, Medic and many MoH’s run their CHT instances publicly and have had no issues so far.
If you have any more concerns about specific aspects of security and the CHT - please let us know!