Sprint 147 Progress Summary
December 15th - December 29th
Executive Summary
Overall Summary
Sprint status is excellent. The Product Team had prioritized the following themes and tasks for Sprint 147. Themes for the sprint included Partner and Community support
+ Forum discussions
+ Support for the Federal Agencies Implementations (VA, CMS, DoD, SSA)
+ Community support
+ Post 4.4 Release - Refactoring and Cleanup Tasks
– Backlog Grooming and JIRA Cleanup
– Refactoring and Technical User Stories
– Process Improvements
+ eHealth Exchange Certification Review/Remaining Issues
– WS-Addressing Must Understand Attribute
– Removing Semantic Text Values
– Purpose of Use and Role Declarations
– Review of EHEX Certification Manual Checklists
+ Validation of Auditing Design against EHEX Checklist
+ Functional and Security Testing Improvements
The team completed 28 points during this holiday impacted sprint. The continued focus this sprint was on reviewing and addressing any compliance issues related to the eHealth Exchange manual checklists. These reviews were conducted based on the checklists provided off of the Healtheway website. The team pulled in several tickets related to Functional and Security Testing Improvements as more was learned working with the latest security scan rule packs and utilizing additional scanning tools.. Supporting our federal partners and their implementation efforts as well as the open source community continues to be a top priority.
Two tickets could not be completed, the open tasks will be continued over to the next sprint. One of the issues was dependent on coordinating with an open source contributor and the coordination wasn't able to be accomplished during the sprint. The other open issue was related to documenting some team process improvements.
Burndown:
Sprint Themes and related tickets for Sprint 147:
Partner and Community support
– Support for the VA 4.2.2.2 implementation
• Worked with the VA implementation team on a DQ exception being recorded was traced back to adapter, provided additional insight on potential resolution
• 4.2.2.2 release information can be found here - 4.2.X+Patches
– Continued working with the DoD security team answering questions and coordinating security reviews for CONNECT
• Started to develop process and learn tool for review of software dependencies
– Met and worked through timestamp issue with CMS for a message exception being experienced, resolved by syncing Gateway system clocks (CONN-1580)
– Continued working through issue and providing facilitation concerning a request by SSA made in 4.3.2 with NIST testing
• SAML PoU attribute, Role declaration and HL7 schemas
– Continued community support for other adopters installing CONNECT and beginning their testing and validation
• Another seven users signed up during this sprint
– Responded to several community questions via the forums
• A few new users continued to register for the forums even during through the holiday season
Post 4.4 Release - Refactoring and Cleanup Tasks
– Reviewed, Consolidated (where appropriate) and Prioritized current CONNECT Backlog tickets
– Developed Technical Stories for application improvements and needed refactoring
– Updating CONNECT internal dependencies (WebServices and CommonTypes) to have snapshot releases
• Building a consistent release path protecting against the possibility of creating an official release for the wrong code
• Better processes for development versioning and for referencing between releases
• Researched Snapshot creation and how it would apply to Common Types and WebServices
• Applied the Snapshot plan to Connect Webservices and CommonTypes
Support for NwHIN eHealth Exchange Certification Review/Remaining Issues
– Set the "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response (CONN-1506 & CONN-1428)
• Added supporting tests to regression suite for future compliance
– The first resolution to address the Semantic Text removal was only applied to the parameter list in QueryByParameter, still required to be applied for the MatchCriterionList elements in the PD request schema
• Parameters MatchAlgorithm & MinimumDegreeMatch
– Researched and addressed the PurposeOfUse and Role scoping issue discovered as part of NIST DS testing
• Due to the delay in receiving official guidance from Spec factory, set the prefix to be configurable with the default that it is turned off
– Reviewed CONNECT generated PD request and response against all pertinent manual EHEX certification checklists
• Split the review by service type and consolidated the manual checklists/spreadsheets accordingly
• Several spreadsheets were associated with PD
• No additional findings were found
Validation of Auditing Design against EHEX Checklist
– Auditing isn’t currently a part of EHEX Certification testing manual checklist are published
– The expectation is this will soon be part future requirements
– Took currently Auditing messages and design for Audit improvements and reviewed against EHEX checklists
• Though Audit design addresses all services supported by CONNECT, the review only focused on EHEX supported services
• Review CONNECT generated audit messages against PD initiator and responder manual checklists from Healtheway
• Review CONNECT generated audit messages against QD initiator and responder manual checklists from Healtheway
• On Review CONNECT generated audit messages against RD initiator and responder manual checklists from Healtheway
Functional and Security Testing Improvements
– Followed-up with DoD SCQC team on Fortify next steps and final reviews of Release 4.4 (Updated rule engine)
– Added OWASP Dependency Checks to nightly continuous integration process for jenkins build
– Resolved CONNECT Nightly build issue -- Bimodal Regression test ValidateSAMLResourceURIAttributeTest
– Update regression suite tests to check if all the service responses have the mustUnderstand attribute set in action header element
– Addressed post 4.4 Fortify findings
• Mitigated "Setting Manipulation" finding eliminating ability for an attacker to control values that govern system behavior
• Mitigated "System Information Leak: Internal“ occurring during debugging
Other tasks post release
- Continuing to work on the team generated Technical Stories
- Continued backlog grooming and prioritization
- Beginning preparation for the Change Control Board
JIRA Planning Board of Committed User Stories for Sprint 147:
Completed Issues
| Key | Summary | Issue Type | Priority | Status | Story Points (28) |
|---|---|---|---|---|---|
| FHAC-3 | Review CONNECT generated PD request and response against the manual eHex Participant testing checklists |  Task |  Major | CLOSED | 5 |
| FHAC-7 * | Research and follow-up on the PurposeOfUse and Role scoping issue discovered as part of NIST DS testing | Task | Major | CLOSED | 1 |
| FHAC-8 * | Set "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response message |  Story | Major | CLOSED | 0 |
| FHAC-9 * | CONNECT is removing SemanticsText value for MatchCriterionList elements - MatchAlgorithm and MinimumDegreeMatch | Story | Major | CLOSED | 2 |
| FHAC-11 | Review CONNECT generated audit messages against PD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 3 |
| FHAC-12 * | Review CONNECT generated audit messages against QD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 2 |
| FHAC-13 * | Review CONNECT generated audit messages against RD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 2 |
| FHAC-15 | Research Set "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response message | Task |  Minor | CLOSED | 2 |
| FHAC-16 * | As a CONNECT developer, I would like the CONNECT internal dependencies (WebServices and CommonTypes) to have snapshot releases | Major | CLOSED | 0 | |
| FHAC-17 | Research Snapshot creation and how it would apply to Common Types and WebServices | Task | Major | CLOSED | 2 |
| FHAC-18 | Apply Snapshot plan to Connect Webservices and CommonTypes | Task | Major | CLOSED | 2 |
| FHAC-19 | Follow-up with SCQC on Fortify next steps | Task | Major | CLOSED | 1 |
| FHAC-20 * | CI - Add OWASP Dependency Check to nightly jenkins build | Task | Major | CLOSED | 2 |
| FHAC-23 * | Follow-up on timestamp expiration issue reported by CMS/OFM (CONN-1580) | Task | Major | CLOSED | 0 |
| FHAC-24 * | CONNECT Nightly build -- Bimodal Regression test ValidateSAMLResourceURIAttributeTest failing | Task | Minor | CLOSED | 1 |
| FHAC-28 * | Mitigate "Setting Manipulation" Fortify Finding | Task | Major | CLOSED | 1 |
| FHAC-29 * | Update ValidateWSA-ActionSoapMustUnderstandTest regression suite test | Task | Minor | CLOSED | 1 |
| FHAC-34 * | Mitigate "System Information Leak: Internal" Fortify Findings | Task | Minor | CLOSED | 1 |
Issues Not Completed
| Key | Summary | Issue Type | Priority | Status | Story Points (2) |
|---|---|---|---|---|---|
| FHAC-14 | Determine whether EHEX Cert contributions are needed in the main Gateway code | Task | Major | IN PROGRESS | 1 |
| FHAC-33 * | Document CONNECT Development Process in Wiki | Task | Minor | IN PROGRESS | 1 |