Human rights work often involves handling sensitive information, making a secure digital environment essential for those involved in the collection and documentation process. Uwazi, HURIDOCS’ open-source database application, is specifically designed for human rights defenders to manage various types of sensitive information. To ensure the highest level of data protection and integrity for our partners, we requested an in-depth security assessment of Uwazi.
The security audit was performed by Assured Security Consultants, a boutique consultancy firm based in Sweden. The penetration test covered the web application, backend APIs and the user interface. White box methodology (privileged access and source code) was used combining both dynamic and static analysis of the implementation and its assets. It was carried out in accordance with the OWASP Web Security Testing Guide.
The audit uncovered eleven findings, most of which have a low or zero risk rating. However, two vulnerabilities, one critical and one high-risk, were discovered during the audit. All the vulnerabilities have since been addressed and patched to prevent exploitation, while the critical and high-risk ones were immediately prioritised after the HURIDOCS team were informed of the report findings.
“We recently completed a penetration test on the Uwazi application, developed by HURIDOCS. The well-structured and easy-to-audit codebase made our testing process smoother.The test uncovered eleven issues, including one critical issue, which were all promptly addressed and mitigated. The team’s rapid response shows their commitment to ensuring user safety. Additionally, the team was very helpful and supportive throughout the test, and we would like to thank HURIDOCS for the privilege of working together in improving the security of Uwazi.”
— Assured Security Consultants
This is the third independent security audit of Uwazi and forms part of our commitment to maintain and strengthen the security of our flagship open-source tool. In 2022, an independent audit found Uwazi to have a high level of security.
HURIDOCS is grateful to the Open Technology Fund and their Security Lab for funding this security audit of Uwazi, and to the team at Assured who did an excellent job in performing the audit.
If you have any questions about the vulnerabilities discovered in the report and would like to know how HURIDOCS addressed them, feel free to reach out to us.