Re: Question on - How secure is Mifos?
Many thanks, James and Ed for valuable inputs.
On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <edcable@xxxxxxxxx> wrote:
> Once again thanks for taking the time to share your wisdom with the group
> and carry the conversation forward. Please see my replies inline:
> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@xxxxxxxxx>
>> Hi Sangamesh -
>> As a financial system of record Mifos was designed from the beginning to
>> be secure on the basis of best practices in software architecture and the
>> use of existing code libraries for security implementation. Design-wise,
>> this would include having proper separation of roles, appropriate
>> granularity of permissions, work flow (maker checker authorization)
>> support, encrypted channels, runtime process isolation, audit logs, and
>> secured databases.
>> I'd like to raise some points related to your question:
>> 1) Any security framework is only as strong as the weakest link. A
>> database may be fully encrypted and secure but if the private encryption
>> keys are broadcast in the clear (a very bad idea) then you've undermined
>> the model. This has happened in closed-source mobile money applications
>> run by reputable companies.
>> 2) Open source provides a way to inspect and determine if best practices
>> are being followed. One of the key issues with older security frameworks
>> is that too many of them rely on "security through obscurity". Mifos and
>> others invite inspection and bug reports. I believe several efforts have
>> looked at this, but security is an ongoing effort/philosophy, not a one
>> time thing. Still, I wonder if we can get a white hat security team to
>> review a deployment of Mifos apps + fineract. As fineract grows in
>> popularity (we hope and expect) this becomes more important.
> Thanks to the Lalit, we actually recently had some of the usability and
> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> attached the two reports that they recently completed in the last week.
> I also want point everyone to the static analysis and fixes that Thisura
> did on Fineract 1.x as part of his 2017 GSOC program -
>> 3) While the code may be written in the right way, operational deployment
>> practices are often the primary way to ensure that disparate applications
>> are able to be securely implemented. With the blending of dev-ops into
>> coding, this can be more controlled in the code, but at the end of the day
>> so much of security comes down to thing like "has the recent server
>> security patch been applied?" "has the VPN been implemented properly?",
>> "was the root user hard coded into the internal data calls?", "have the
>> passwords and keys been changed and kept secure?".
>> 4) We are not adequately tracking security issues in deployments. There
>> are reasons why companies may not want to share this information, but, I
>> believe we will need to establish a security reporting process where known
>> Mifos or Fineract solution providers can report what they've learned and
>> what actions they've had to take to fend off an attack.
> Apache has a well-defined security vulnerabilities policy with a clear
> protocol <http://apache.org/security/committers.html>for confirming and
> fixing any vulnerabilities that get reported to the Security team at
> Apache <http://apache.org/security/> by individuals.
>> 5) I believe that what is needed is a Guide for Securing Mifos
>> applications running in production. This could be a Guide that would walk
>> through how to deploy and secure both the Apache fineract code and the
>> Mifos Apps that are released in production. The Security-Overview wiki is
>> mostly aimed at that topic.
>> So, I think the answers to the questions may involve looking at what you
>> are trying to convey in those wiki pages. On the wiki page, can you point
>> out where the questions exist more specifically?
>> Second, if there are any security framework experts on this list, an
>> audit of the fineract and mifos apps, using automated security probing
>> tools (info sec tools like droidsqli on the android apps) would be a useful
>> contribution, but perhaps we should have a secured test- instance for that
>> first. It would tell us where we are at. Yes?
> We had some previous individuals with good expertise who were more
> involved in the past. I'll try to get them re-engaged.
>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@xxxxxxxxx>
>>> Hello Dev,
>>> Below is a question which has been asked at
>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>> Mifos as it is an OpenSource*
>>> has been asked by isabane on MifosConnect
>>> Here are the links, which are having details with few missing answers on
>>> important questions. Can we have updates on missing answers soon?,
>>> it explains how good is the security architecture of mifos/fineract
>>> - *
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos> <http://www.twitter.com/mifos>