Selenium and HIPPA compliance/Enterprise IT security restrictions

[seleni...@gmail.com]

Hello all,

I did a search on Selenium and HIPPA compliance and selenium and security risks and found very little. Unfortunately, the lack of warnings about "the dangers of letting your test engineers use Selenium" means nothing in the health care organization I work for, which views open source as inherently risky and "a bad thing" a)because it's open source and b) because there is no vendor who creates it to provide support as staff backup, or presumably, hold accountable if things go wrong. For all intents and purposes, our test environments are subject to the same "guilty of being unsafe until proven innocent" level of security as Prod.

Have any of you successfully introduced Selenium in a setting like this --a very tightly controlled organization in a heavily regulated industry (bonus points if it's healthcare)-- where you need to go through an extensive formal review process for any new application AND get support from your own management and at least acceptance from a very strict IT security leader to have things unblocked or get permissions that normal users do not get? If you have done this successfully, do you have any advice, articles, resources, etc., you could share that helped you successfully make the case for your organization accepting Selenium? Did you then have to do the same thing for any languages (Ruby, Python, C#, Visual Studio Community) that you planned to download/use in conjunction for creating tests?

To clarify, I'm not looking for ways around security and our policies (which they'd fire an IT person for doing); I'm trying to determine how I can best prepare a case to gain the official support needed to do it in an acceptable manner.

[Shawn McCarthy]

Maybe you can find another open source library that your company is already using ?

[seleni...@gmail.com]

Are you suggesting another open source testing tool or just anything else open source to see how its users shepherded it through the security/approval process?

I asked a couple of people on the dev team and someone else who has been in various roles, and they were not aware of anyone who had introduced open source tools.

I'm not aware of an outright ban though, which means it should not be totally impossible . . . that said, I am aware "you can't fight city hall" and also exploring other "cities."

[Shawn McCarthy]

The latter (anything else open source to see how it got through the security/approval process). I can't imagine any semi complex project wouldn't use some kind of open source project/library.

[seleni...@gmail.com]

Now that you mention it, we recently went through quite a "round" with our security department because the testing tool we use (and paid much for) contains open source libraries, which is one of the reasons security insisted the false positive from virustotal and Websense when we were trying to download an update from the vendor  meant it contained Trojans. I think their support team even made that point you just made about how so many projects incorporate open source libraries. It was actually being flagged that way due to presence of the VNC client in it because the tool works by remoting to machines and executing code (our test scripts). I could see Selenium (especially integrated with our tool remoting or RC) potentially running in to the same thing.

Of course, the testing tool passed the extensive review process and was selected and submitted for said process by people who hold the viewpoints that are barriers to using open source in the first place.

I need to find more friends on the development team.

[Krishnan Mahadevan]

>>>> a) because it's open source

 

Lot of companies rely heavily on open source tools. I believe enterprise level frameworks such as Spring for e.g., are by themselves open source in nature. So there's nothing wrong with opening up to open source. If your org is basically using any open source library for its development (am assuming that your tech stack is Java), then you can find out the list of open source libraries that are being used for application development, and then leverage the same vetting process for adopting an open source project.

 

>>>> b) because there is no vendor who creates it to provide support as staff backup, or presumably, hold accountable if things go wrong

 

Open source projects come free of cost. So, you win some, you lose some. Support staff etc., comes only when you pay for something. Open source projects are mainly aimed at those users, who are comfortable with using something that's available for free, but if something goes wrong (or) they are in the need of addressing a bug (or) adding an enhancement, then they very well can take up the ownership of that, and either contribute back to the open source library, or fork the codebase and make changes for themselves and keep the forked variant within their company.

 

>>>> Have any of you successfully introduced Selenium in a setting like this --a very tightly controlled organization in a heavily regulated industry (bonus points if it's healthcare)-- where you need to go through an extensive formal review process for any new application AND get support from your own management and at least acceptance from a very strict IT security leader to have things unblocked or get permissions that normal users do not get?

 

I don’t have an extensive experience in this. But I guess it would boil down to first you collecting the set of things that your org expects in terms of providing approvals etc., and then start hunting for data around those areas. For every org the data points are different. For e.g., some companies basically say that binaries are not supposed to be downloaded directly from the internet. To get past this they would basically request that you go through a ticketing system which requests for binary downloads (chromedriver/geckodriver), which after vetting out would be made available in a shared location within the company.

 

Recently we got into a situation wherein some settings in IE had to be enabled to support automation (I believe it was the one related to security setting across websites), but the org policy had ensured that IE setting wouldn't even be visible to users. So we had to get past that by requesting for a service account with restricted login access (ie., it wouldn't have access to internet and login was also restricted test boxes as well) and then move forward with that.

 

The bottom line is, how do you make them understand the need of automation. If the org has a priority of trying to leverage concepts such as CI and CD (either in a restricted or a full blown fashion) and if the organization is not keen on spending a lot in terms of buying products but, is instead ready to invest in their employees by providing opportunities for them to work on open source projects, then these things have to be allowed. You just have to figure out ways in which you can bring out the benefits in a fashion that can be accepted by your org ☺

 

>>>> To clarify, I'm not looking for ways around security and our policies (which they'd fire an IT person for doing);

Yes, you shouldn't as well. Finding loop holes in policies or security settings is even more tiresome, because you will be very soon caught in a rigmarole of work-arounds.

 

Thanks & Regards

Krishnan Mahadevan

 

"All the desirable things in life are either illegal, expensive, fattening or in love with someone else!"

My Scribblings @ http://wakened-cognition.blogspot.com/

My Technical Scribbings @ http://rationaleemotions.wordpress.com/

--
You received this message because you are subscribed to the Google Groups "Selenium Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selenium-user...@googlegroups.com.
To post to this group, send email to seleniu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selenium-users/d42fc112-49b2-464e-b3e6-9a3198aeaa81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[seleni...@gmail.com]

Our tech stack here is the typical Microsoft everything (so no Java--based on the job descriptions I've seen for devs).

Thanks to everyone for their suggestions. I am trying to determine what all I'd need to meet the requirements.