Re: [Mifos-developer] Question on - How secure is Mifos?

[Ed Cable <ed...@mifos.org>]

Victor,

Thanks for this suggestion. I have a request in for a free license from
White Source.

Ed

On Sat, Sep 29, 2018 at 9:50 PM Victor Manuel Romero Rodriguez <
victor.romero@fintecheando.mx> wrote:

> Hello,
>
> We have used WhiteCode in the past. For open source projects is
> available a free license.
>
> https://www.whitesourcesoftware.com/
>
> I think is a more complete solution.
>
> Regards
>
> Victor
>
>
>
> El 20/09/18 a las 07:37, Lalit Mohan S escribió:
> > I used Codacy (https://www.codacy.com/) for an open source project for
> > performing static code analysis, I felt it was quite comprehensive.
> >
> > Also, we could explore a working relationship with Synopsys (coverity)
> and
> > has readiness for CIT
> >
> > regards
> > Lalit
> >
> > On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sa...@gmail.com>
> > wrote:
> >
> >> Many thanks, James and Ed for valuable inputs.
> >>
> >> Regards,
> >> Sangamesh
> >>
> >> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:
> >>
> >>> James,
> >>>
> >>> Once again thanks for taking the time to share your wisdom with the
> group
> >>> and carry the conversation forward. Please see my replies inline:
> >>>
> >>>
> >>>
> >>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi Sangamesh -
> >>>>
> >>>> As a financial system of record Mifos was designed from the beginning
> to
> >>>> be secure on the basis of best practices in software architecture and
> the
> >>>> use of existing code libraries for security implementation.
> Design-wise,
> >>>> this would include having proper separation of roles, appropriate
> >>>> granularity of permissions, work flow (maker checker authorization)
> >>>> support, encrypted channels, runtime process isolation, audit logs,
> and
> >>>> secured databases.
> >>>>
> >>>> I'd like to raise some points related to your question:
> >>>> 1) Any security framework is only as strong as the weakest link.  A
> >>>> database may be fully encrypted and secure but if the private
> encryption
> >>>> keys are broadcast in the clear (a very bad idea) then you've
> undermined
> >>>> the model.  This has happened in closed-source mobile money
> applications
> >>>> run by reputable companies.
> >>>>
> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
> >>>>
> >>>>
> >>>> 2) Open source provides a way to inspect and determine if best
> practices
> >>>> are being followed.  One of the key issues with older security
> frameworks
> >>>> is that too many of them rely on "security through obscurity". Mifos
> and
> >>>> others invite inspection and bug reports.  I believe several efforts
> have
> >>>> looked at this, but security is an ongoing effort/philosophy, not a
> one
> >>>> time thing. Still, I wonder if we can get a white hat security team to
> >>>> review a deployment of Mifos apps + fineract.  As fineract grows in
> >>>> popularity (we hope and expect) this becomes more important.
> >>>>
> >>> Thanks to the Lalit, we actually recently had some of the usability and
> >>> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> >>> attached the two reports that they recently completed in the last week.
> >>>
> >>> I also want point everyone to the static analysis and fixes that
> Thisura
> >>> did on Fineract 1.x as part of his 2017 GSOC program -
> >>>
> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
> >>>
> >>>> 3) While the code may be written in the right way, operational
> >>>> deployment practices are often the primary way to ensure that
> disparate
> >>>> applications are able to be securely implemented. With the blending of
> >>>> dev-ops into coding, this can be more controlled in the code, but at
> the
> >>>> end of the day so much of security comes down to thing like "has the
> recent
> >>>> server security patch been applied?" "has the VPN been implemented
> >>>> properly?", "was the root user hard coded into the internal data
> calls?",
> >>>> "have the passwords and keys been changed and kept secure?".
> >>>>
> >>>> 4) We are not adequately tracking security issues in deployments.
> There
> >>>> are reasons why companies may not want to share this information,
> but, I
> >>>> believe we will need to establish a security reporting process where
> known
> >>>> Mifos or Fineract solution providers can report what they've learned
> and
> >>>> what actions they've had to take to fend off an attack.
> >>>>
> >>> Apache has a well-defined security vulnerabilities policy  with a clear
> >>> protocol <http://apache.org/security/committers.html>for confirming
> and
> >>> fixing any vulnerabilities that get reported to the Security team at
> >>> Apache <http://apache.org/security/> by individuals.
> >>>
> >>>> 5) I believe that what is needed is a Guide for Securing Mifos
> >>>> applications running in production. This could be a Guide that would
> walk
> >>>> through how to deploy and secure both the Apache fineract code and the
> >>>> Mifos Apps that are released in production.  The Security-Overview
> wiki is
> >>>> mostly aimed at that topic.
> >>>>
> >>>> So, I think the answers to the questions may involve looking at what
> you
> >>>> are trying to convey in those wiki pages. On the wiki page, can you
> point
> >>>> out where the questions exist more specifically?
> >>>>
> >>>> Second, if there are any security framework experts on this list, an
> >>>> audit of the fineract and mifos apps, using automated security probing
> >>>> tools (info sec tools like droidsqli on the android apps) would be a
> useful
> >>>> contribution, but perhaps we should have a secured test- instance for
> that
> >>>> first. It would tell us where we are at. Yes?
> >>>>
> >>> We had some previous individuals with good expertise who were more
> >>> involved in the past. I'll try to get them re-engaged.
> >>>
> >>>
> >>>> Thanks,
> >>>> James
> >>>>
> >>>>
> >>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hello Dev,
> >>>>>
> >>>>> Below is a question which has been asked at
> >>>>> http://mifos.cloud.answerhub.com
> >>>>> *How secure is Mifos? i mean no one can attack me when i decided to
> use
> >>>>> Mifos as it is an OpenSource*
> >>>>> <
> >>>>>
> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
> >>>>> has been asked by isabane on MifosConnect
> >>>>>
> >>>>> Here are the links, which are having details with few missing
> answers on
> >>>>> important questions. Can we have updates on missing answers soon?,
> >>>>> wherein
> >>>>> it explains how good is the security architecture of mifos/fineract
> >>>>> platform
> >>>>> - *
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> >>>>> <
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> >>>>>> *
> >>>>> -
> >>>>> *
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> >>>>> <
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> >>>>>> *
> >>>>> Thanks,
> >>>>> Sangamesh.N
> >>>>>
> >>> --
> >>> *Ed Cable*
> >>> President/CEO, Mifos Initiative
> >>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
> >>>
> >>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> >>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> >>>
> >>> Mifos-developer mailing list
> >> mifos-developer@lists.sourceforge.net
> >> Unsubscribe or change settings at:
> >> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>
>

-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>