OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mifos-developer] Question on - How secure is Mifos?


I used Codacy (https://www.codacy.com/) for an open source project for
performing static code analysis, I felt it was quite comprehensive.

Also, we could explore a working relationship with Synopsys (coverity) and
has readiness for CIT

regards
Lalit

On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sangameshcfsl@xxxxxxxxx>
wrote:

> Many thanks, James and Ed for valuable inputs.
>
> Regards,
> Sangamesh
>
> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <edcable@xxxxxxxxx> wrote:
>
>> James,
>>
>> Once again thanks for taking the time to share your wisdom with the group
>> and carry the conversation forward. Please see my replies inline:
>>
>>
>>
>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@xxxxxxxxx>
>> wrote:
>>
>>> Hi Sangamesh -
>>>
>>> As a financial system of record Mifos was designed from the beginning to
>>> be secure on the basis of best practices in software architecture and the
>>> use of existing code libraries for security implementation. Design-wise,
>>> this would include having proper separation of roles, appropriate
>>> granularity of permissions, work flow (maker checker authorization)
>>> support, encrypted channels, runtime process isolation, audit logs, and
>>> secured databases.
>>>
>>> I'd like to raise some points related to your question:
>>> 1) Any security framework is only as strong as the weakest link.  A
>>> database may be fully encrypted and secure but if the private encryption
>>> keys are broadcast in the clear (a very bad idea) then you've undermined
>>> the model.  This has happened in closed-source mobile money applications
>>> run by reputable companies.
>>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>>
>>>
>>> 2) Open source provides a way to inspect and determine if best practices
>>> are being followed.  One of the key issues with older security frameworks
>>> is that too many of them rely on "security through obscurity". Mifos and
>>> others invite inspection and bug reports.  I believe several efforts have
>>> looked at this, but security is an ongoing effort/philosophy, not a one
>>> time thing. Still, I wonder if we can get a white hat security team to
>>> review a deployment of Mifos apps + fineract.  As fineract grows in
>>> popularity (we hope and expect) this becomes more important.
>>>
>>
>> Thanks to the Lalit, we actually recently had some of the usability and
>> security researches at IDRBT do a static analysis of Mifos Mobile. I've
>> attached the two reports that they recently completed in the last week.
>>
>> I also want point everyone to the static analysis and fixes that Thisura
>> did on Fineract 1.x as part of his 2017 GSOC program -
>> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>>
>>>
>>> 3) While the code may be written in the right way, operational
>>> deployment practices are often the primary way to ensure that disparate
>>> applications are able to be securely implemented. With the blending of
>>> dev-ops into coding, this can be more controlled in the code, but at the
>>> end of the day so much of security comes down to thing like "has the recent
>>> server security patch been applied?" "has the VPN been implemented
>>> properly?", "was the root user hard coded into the internal data calls?",
>>> "have the passwords and keys been changed and kept secure?".
>>>
>>> 4) We are not adequately tracking security issues in deployments. There
>>> are reasons why companies may not want to share this information, but, I
>>> believe we will need to establish a security reporting process where known
>>> Mifos or Fineract solution providers can report what they've learned and
>>> what actions they've had to take to fend off an attack.
>>>
>>
>> Apache has a well-defined security vulnerabilities policy  with a clear
>> protocol <http://apache.org/security/committers.html>for confirming and
>> fixing any vulnerabilities that get reported to the Security team at
>> Apache <http://apache.org/security/> by individuals.
>>
>>>
>>> 5) I believe that what is needed is a Guide for Securing Mifos
>>> applications running in production. This could be a Guide that would walk
>>> through how to deploy and secure both the Apache fineract code and the
>>> Mifos Apps that are released in production.  The Security-Overview wiki is
>>> mostly aimed at that topic.
>>>
>>> So, I think the answers to the questions may involve looking at what you
>>> are trying to convey in those wiki pages. On the wiki page, can you point
>>> out where the questions exist more specifically?
>>>
>>> Second, if there are any security framework experts on this list, an
>>> audit of the fineract and mifos apps, using automated security probing
>>> tools (info sec tools like droidsqli on the android apps) would be a useful
>>> contribution, but perhaps we should have a secured test- instance for that
>>> first. It would tell us where we are at. Yes?
>>>
>>
>> We had some previous individuals with good expertise who were more
>> involved in the past. I'll try to get them re-engaged.
>>
>>
>>>
>>> Thanks,
>>> James
>>>
>>>
>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@xxxxxxxxx>
>>> wrote:
>>>
>>>> Hello Dev,
>>>>
>>>> Below is a question which has been asked at
>>>> http://mifos.cloud.answerhub.com
>>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>>> Mifos as it is an OpenSource*
>>>> <
>>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>>> >
>>>> has been asked by isabane on MifosConnect
>>>>
>>>> Here are the links, which are having details with few missing answers on
>>>> important questions. Can we have updates on missing answers soon?,
>>>> wherein
>>>> it explains how good is the security architecture of mifos/fineract
>>>> platform
>>>> - *
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>> <
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>> >*
>>>> -
>>>> *
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>> <
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>> >*
>>>>
>>>> Thanks,
>>>> Sangamesh.N
>>>>
>>>
>>
>> --
>> *Ed Cable*
>> President/CEO, Mifos Initiative
>> edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649
>>
>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>
>> Mifos-developer mailing list
> mifos-developer@xxxxxxxxxxxxxxxxxxxxx
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/lists/listinfo/mifos-developer