[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mifos-developer] Question on - How secure is Mifos?


We have used WhiteCode in the past. For open source projects is available a free license.


I think is a more complete solution.



El 20/09/18 a las 07:37, Lalit Mohan S escribió:
I used Codacy (https://www.codacy.com/) for an open source project for
performing static code analysis, I felt it was quite comprehensive.

Also, we could explore a working relationship with Synopsys (coverity) and
has readiness for CIT


On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sangameshcfsl@xxxxxxxxx>

Many thanks, James and Ed for valuable inputs.


On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <edcable@xxxxxxxxx> wrote:


Once again thanks for taking the time to share your wisdom with the group
and carry the conversation forward. Please see my replies inline:

On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@xxxxxxxxx>

Hi Sangamesh -

As a financial system of record Mifos was designed from the beginning to
be secure on the basis of best practices in software architecture and the
use of existing code libraries for security implementation. Design-wise,
this would include having proper separation of roles, appropriate
granularity of permissions, work flow (maker checker authorization)
support, encrypted channels, runtime process isolation, audit logs, and
secured databases.

I'd like to raise some points related to your question:
1) Any security framework is only as strong as the weakest link.  A
database may be fully encrypted and secure but if the private encryption
keys are broadcast in the clear (a very bad idea) then you've undermined
the model.  This has happened in closed-source mobile money applications
run by reputable companies.

2) Open source provides a way to inspect and determine if best practices
are being followed.  One of the key issues with older security frameworks
is that too many of them rely on "security through obscurity". Mifos and
others invite inspection and bug reports.  I believe several efforts have
looked at this, but security is an ongoing effort/philosophy, not a one
time thing. Still, I wonder if we can get a white hat security team to
review a deployment of Mifos apps + fineract.  As fineract grows in
popularity (we hope and expect) this becomes more important.

Thanks to the Lalit, we actually recently had some of the usability and
security researches at IDRBT do a static analysis of Mifos Mobile. I've
attached the two reports that they recently completed in the last week.

I also want point everyone to the static analysis and fixes that Thisura
did on Fineract 1.x as part of his 2017 GSOC program -

3) While the code may be written in the right way, operational
deployment practices are often the primary way to ensure that disparate
applications are able to be securely implemented. With the blending of
dev-ops into coding, this can be more controlled in the code, but at the
end of the day so much of security comes down to thing like "has the recent
server security patch been applied?" "has the VPN been implemented
properly?", "was the root user hard coded into the internal data calls?",
"have the passwords and keys been changed and kept secure?".

4) We are not adequately tracking security issues in deployments. There
are reasons why companies may not want to share this information, but, I
believe we will need to establish a security reporting process where known
Mifos or Fineract solution providers can report what they've learned and
what actions they've had to take to fend off an attack.

Apache has a well-defined security vulnerabilities policy  with a clear
protocol <http://apache.org/security/committers.html>for confirming and
fixing any vulnerabilities that get reported to the Security team at
Apache <http://apache.org/security/> by individuals.

5) I believe that what is needed is a Guide for Securing Mifos
applications running in production. This could be a Guide that would walk
through how to deploy and secure both the Apache fineract code and the
Mifos Apps that are released in production.  The Security-Overview wiki is
mostly aimed at that topic.

So, I think the answers to the questions may involve looking at what you
are trying to convey in those wiki pages. On the wiki page, can you point
out where the questions exist more specifically?

Second, if there are any security framework experts on this list, an
audit of the fineract and mifos apps, using automated security probing
tools (info sec tools like droidsqli on the android apps) would be a useful
contribution, but perhaps we should have a secured test- instance for that
first. It would tell us where we are at. Yes?

We had some previous individuals with good expertise who were more
involved in the past. I'll try to get them re-engaged.


On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@xxxxxxxxx>

Hello Dev,

Below is a question which has been asked at
*How secure is Mifos? i mean no one can attack me when i decided to use
Mifos as it is an OpenSource*
has been asked by isabane on MifosConnect

Here are the links, which are having details with few missing answers on
important questions. Can we have updates on missing answers soon?,
it explains how good is the security architecture of mifos/fineract
- *

*Ed Cable*
President/CEO, Mifos Initiative
edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Mifos-developer mailing list
Unsubscribe or change settings at: