December 29th - January 12th
...
Partner and Community support
– Support for the VA 4.2.2.2 implementation
•
...
• 4.2.2.2 release information can be found here - 4.2.X+Patches
Researched and isolated a PD/DQ issue related to the subjectRole attribute on inbound requests affecting certain trading partners
– Continued working with the DoD
security SCQC team answering questions and coordinating security reviews for CONNECT
•
...
Continued working to develop process and learn tool for review of software dependencies
• Discussion around certain tech stack components
– Met
and worked through timestamp issue with CMS for a message exception being experienced, resolved by syncing Gateway system clocks (CONN-1580)– Continued working through issue and to further drive and capture Auditing requirements for X12 and CMS environmental constraints
– Resolved issue in 4.4.1 after providing facilitation concerning a request by SSA made in 4.3.2 with NIST testing
• SAML PoU attribute, Role declaration and HL7 schemas
– Continued community support for other adopters installing CONNECT and beginning their testing and validation
•
...
Still a few new forums sign-ups during the holiday season
– Responded to several community questions via
...
the forums
...
Post 4.4 Release - Refactoring and Cleanup Tasks
–
Reviewed, Consolidated (where appropriate) and Prioritized Performed additional grooming and prioritization of current CONNECT Backlog tickets, CCB preparation
–
Developed Reviewing and refining of Technical Stories for application improvements and needed refactoring
–
Updating CONNECT internal dependencies (WebServices and CommonTypes) to have snapshot releases • Building a consistent release path protecting against the possibility of creating an official release for the wrong code
• Better processes for development versioning and for referencing between releases
• Researched Snapshot creation and how it would apply to Common Types and WebServices
...
Added new application server version, WebSphere 8.5, to the Continuous Integration merge process
– Added resource-reference declarations in GlassFish for web deployment descriptor files
• Allows support for GlassFish versions 3 & 4
– Worked on refinements to the CONNECT Development process
• Documented in the wiki and reviewed with team
Support for NwHIN eHealth Exchange Certification Review/Remaining Issues
– Reviewed CONNECT generated QD and RD request and response messages against all pertinent manual EHEX certification checklists
• Split the review by service type and consolidated the manual checklists/spreadsheets accordingly
• Several spreadsheets were associated with each service
• No additional findings requiring changes were found
• Further research on several optional adapter parameters and the gateway processing of those
• Overall manually reviewed over 1500 validation checks contained in the EHEX checklists/spreadsheets
– Created JIRA tickets for Audit services based on EHEX manual checklist review performed in Sprint 147
– Verified against the Audit Updates Design created as part of Release 4.3 scope
– Set the "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response (CONN-1506 & CONN-1428)
•
– Followed-up with DoD SCQC team on Fortify next steps and final reviews of Release 4.4 (Updated rule engine)
– Added OWASP Dependency Checks to nightly continuous integration process for jenkins build
– Resolved CONNECT Nightly build issue -- Bimodal Regression test ValidateSAMLResourceURIAttributeTest
– Update regression suite tests to check if all the service responses have the mustUnderstand attribute set in action header element
– Addressed post 4.4 Fortify findings
• Mitigated "Setting Manipulation" finding eliminating ability for an attacker to control values that govern system behavior
• Mitigated "System Information Leak: Internal“ occurring during debuggingAdditional testing and review was performed
– The first resolution to address the Semantic Text removal was only applied to the parameter list in QueryByParameter, still required to be applied for the MatchCriterionList elements in the PD request schema
• Parameters MatchAlgorithm & MinimumDegreeMatch
• Found and resolved a related issue with the MinimumDegreeMatch, proper setting of the range variable
– Resolved the PurposeOfUse and Role scoping issue
• Due to the delay in receiving official guidance from Spec factory, set the prefix to be configurable with the default that it is turned off
– Reviewed CONNECT generated PD request and response against all pertinent manual EHEX certification checklists
• Split the review by service type and consolidated the manual checklists/spreadsheets accordingly
• Several spreadsheets were associated with PD
• No additional findings were found
Validation of Auditing Design against EHEX Checklist
– Auditing isn’t currently a part of EHEX Certification testing manual checklist are published
– The expectation is this will soon be part future requirements
– Took currently Auditing messages and design for Audit improvements and reviewed against EHEX checklists
• Though Audit design addresses all services supported by CONNECT, the review only focused on EHEX supported services
• Review CONNECT generated audit messages against PD initiator and responder manual checklists from Healtheway
• Review CONNECT generated audit messages against QD initiator and responder manual checklists from Healtheway
• On Review CONNECT generated audit messages against RD initiator and responder manual checklists from Healtheway
Functional and Security Testing Improvements
, setting it to be configurable to meet certification as well as any potential trading partner requirements
Functional and Security Testing Improvements
– Addressing findings based on latest Fortify rules pack, continued collaboration with DoD SCQC on findings
• Mitigated "Race Condition: Singleton Member Field"
• Mitigated "Insecure Transport: Mail Transmission“
• Mitigated "Path Manipulation“
• Mitigated "Log Forging"
– Compared and researched our internal Dependency Check report with the report supplied from DoD SCQC team (based on 4.4)
• Also being validated against current nightly CI reports
• Removed unused transitive dependencies
– Refined test included in the automated Regression Suite – Audit Logging in Passthru
X12 Audit Requirements and Design
– Further explored what Auditing is required and would be functionally needed for X12 messaging
• Where in the message flow and CMS workflow should Auditing occur
• How much of the Document Submission Audit methodology can be leveraged
– Understand the impacts of Auditing and writing data within the CMS 3-zone architecture related to this service
• Similar constraints and requirements with other services
Other tasks post release
- Continuing to work on the team generated Technical Stories
- Continued backlog grooming and prioritization
- Beginning preparation for the Change Control Board
JIRA Planning Board of Committed User Stories for Sprint
...
148:
Completed Issues
| Key | Summary | Issue Type | Priority | Status | Story Points ( |
|---|
...
| 31) |
|---|
| FHAC- |
...
| 4 | Review CONNECT generated |
...
| QD request and response against the manual eHex |
...
| participant testing checklists |  Task |  Major | CLOSED | 5 |
| FHAC- |
...
| 5 | Review CONNECT generated RD request and response against the manual eHex Participant testing checklists | Task | Major | CLOSED |
...
...
| 21 | Research and analyze dependency check report from DoD/SCQC | Task | Major | CLOSED |
...
...
| 25 | Mitigate "Race Condition: Singleton Member Field" Fortify Finding | Task | Major | CLOSED |
...
...
| 26 | Mitigate "Insecure Transport: Mail Transmission" Fortify Finding | Task | Major | CLOSED |
...
...
| 31 * |
...
| Add WebSphere 8.5 application server to CI Merge Process | Task |
...
 Minor | CLOSED | 2 |
| FHAC- |
...
...
| 35 | Fix the MinimumDegreeMatch in the PD Request for the range between 0 and 100 | Task | Major | CLOSED |
...
...
...
| 49 | Add resource-ref declarations in glassfish web deployment descriptor files | Task |
...
| Minor | CLOSED | 2 |
| FHAC- |
...
| 63 * | Remove Audit Logging Passthru Test from Nightly Automated Regression Exceution | Task |
...
| Minor | CLOSED |
...
...
| 64 * |
...
| OWASP Dependency Check |
...
| : Remove unused transitive dependencies | Task |
...
| Minor | CLOSED | 2 |
| FHAC- |
...
| 65 * |
...
| Mitigate "Path Manipulation" Fortify Findings | Task | Major | CLOSED |
...
| - |
...
...
...
| 66 * | Mitigate " |
...
| Log Forging" Fortify |
...
| Findings | Task | Major | CLOSED | 1 |
...
Issues Not Completed
| Key | Summary | Issue Type | Priority | Status | Story Points (1) |
|---|---|---|---|---|---|
| FHAC-33 | Document CONNECT Development Process in Wiki | Task | Minor |
...
| IN PROGRESS | 1 |
Issues Not Completed
Issues Removed From Sprint
| Key | Summary | Issue Type | Priority | Status | Story Points ( |
|---|
...
...
| 1) | |||
|---|---|---|---|
| FHAC-14 | Determine whether EHEX Cert contributions are needed in the main Gateway code | Task | Major |
...
| OPEN | 1 |