Non-technical Description

On initial configuration of our Jenkins box (a tool we use that helps automates building, testing, and deploying of our software, facilitating our ability to release code multiple times a day), a setting was left with the default as open rather than closed. This opened up a vulnerability that made TIS potential more open to attack then we would intend (which had not been identified by our own checks, or any independent penetration testing carried out on any of our services). In an NHS-wide security sweep, NHS(D) highlighted this vulnerability. We were able to immediately address the vulnerability.

Trigger

• Initial configuration of our Jenkins box

Detection

• NHS(D) security sweep of the NHS estate

Resolution

• Amending an open Jenkins github oauth configuration to be locked down. Was initially set to Anyone can do anything. It has been replaced with Matrix-based security

Timeline

3 Feb

• 14:23 - Email sent to HEE (including Simon - A/L that day - and Stephen Loughran)

• 16:56 - Stephen recirculated email (including AndyN and JohnS)

• 23:09 - Confirmation from John Simmons (Unlicensed) and Andy Dingley that the resolution had been implemented and successfully tested

Root Cause(s)

• Initial configuration of our Jenkins box (probably when the TIS programme was first set up

Action Items

Lessons Learned

• Periodically review security - conduct internal pen tests - consider getting an independent body to do so…