Question on - How secure is Mifos?

[sangamesh n <sa...@gmail.com>]

Hello Dev,

Below is a question which has been asked at http://mifos.cloud.answerhub.com
*How secure is Mifos? i mean no one can attack me when i decided to use
Mifos as it is an OpenSource*
<http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html>
has been asked by isabane on MifosConnect

Here are the links, which are having details with few missing answers on
important questions. Can we have updates on missing answers soon?, wherein
it explains how good is the security architecture of mifos/fineract
platform
- *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
<https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview>*
-
*https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
<https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model>*

Thanks,
Sangamesh.N

Re: [Mifos-developer] Question on - How secure is Mifos?

[Ed Cable <ed...@mifos.org>]

Victor,

Thanks for this suggestion. I have a request in for a free license from
White Source.

Ed

On Sat, Sep 29, 2018 at 9:50 PM Victor Manuel Romero Rodriguez <
victor.romero@fintecheando.mx> wrote:

> Hello,
>
> We have used WhiteCode in the past. For open source projects is
> available a free license.
>
> https://www.whitesourcesoftware.com/
>
> I think is a more complete solution.
>
> Regards
>
> Victor
>
>
>
> El 20/09/18 a las 07:37, Lalit Mohan S escribió:
> > I used Codacy (https://www.codacy.com/) for an open source project for
> > performing static code analysis, I felt it was quite comprehensive.
> >
> > Also, we could explore a working relationship with Synopsys (coverity)
> and
> > has readiness for CIT
> >
> > regards
> > Lalit
> >
> > On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sa...@gmail.com>
> > wrote:
> >
> >> Many thanks, James and Ed for valuable inputs.
> >>
> >> Regards,
> >> Sangamesh
> >>
> >> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:
> >>
> >>> James,
> >>>
> >>> Once again thanks for taking the time to share your wisdom with the
> group
> >>> and carry the conversation forward. Please see my replies inline:
> >>>
> >>>
> >>>
> >>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi Sangamesh -
> >>>>
> >>>> As a financial system of record Mifos was designed from the beginning
> to
> >>>> be secure on the basis of best practices in software architecture and
> the
> >>>> use of existing code libraries for security implementation.
> Design-wise,
> >>>> this would include having proper separation of roles, appropriate
> >>>> granularity of permissions, work flow (maker checker authorization)
> >>>> support, encrypted channels, runtime process isolation, audit logs,
> and
> >>>> secured databases.
> >>>>
> >>>> I'd like to raise some points related to your question:
> >>>> 1) Any security framework is only as strong as the weakest link.  A
> >>>> database may be fully encrypted and secure but if the private
> encryption
> >>>> keys are broadcast in the clear (a very bad idea) then you've
> undermined
> >>>> the model.  This has happened in closed-source mobile money
> applications
> >>>> run by reputable companies.
> >>>>
> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
> >>>>
> >>>>
> >>>> 2) Open source provides a way to inspect and determine if best
> practices
> >>>> are being followed.  One of the key issues with older security
> frameworks
> >>>> is that too many of them rely on "security through obscurity". Mifos
> and
> >>>> others invite inspection and bug reports.  I believe several efforts
> have
> >>>> looked at this, but security is an ongoing effort/philosophy, not a
> one
> >>>> time thing. Still, I wonder if we can get a white hat security team to
> >>>> review a deployment of Mifos apps + fineract.  As fineract grows in
> >>>> popularity (we hope and expect) this becomes more important.
> >>>>
> >>> Thanks to the Lalit, we actually recently had some of the usability and
> >>> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> >>> attached the two reports that they recently completed in the last week.
> >>>
> >>> I also want point everyone to the static analysis and fixes that
> Thisura
> >>> did on Fineract 1.x as part of his 2017 GSOC program -
> >>>
> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
> >>>
> >>>> 3) While the code may be written in the right way, operational
> >>>> deployment practices are often the primary way to ensure that
> disparate
> >>>> applications are able to be securely implemented. With the blending of
> >>>> dev-ops into coding, this can be more controlled in the code, but at
> the
> >>>> end of the day so much of security comes down to thing like "has the
> recent
> >>>> server security patch been applied?" "has the VPN been implemented
> >>>> properly?", "was the root user hard coded into the internal data
> calls?",
> >>>> "have the passwords and keys been changed and kept secure?".
> >>>>
> >>>> 4) We are not adequately tracking security issues in deployments.
> There
> >>>> are reasons why companies may not want to share this information,
> but, I
> >>>> believe we will need to establish a security reporting process where
> known
> >>>> Mifos or Fineract solution providers can report what they've learned
> and
> >>>> what actions they've had to take to fend off an attack.
> >>>>
> >>> Apache has a well-defined security vulnerabilities policy  with a clear
> >>> protocol <http://apache.org/security/committers.html>for confirming
> and
> >>> fixing any vulnerabilities that get reported to the Security team at
> >>> Apache <http://apache.org/security/> by individuals.
> >>>
> >>>> 5) I believe that what is needed is a Guide for Securing Mifos
> >>>> applications running in production. This could be a Guide that would
> walk
> >>>> through how to deploy and secure both the Apache fineract code and the
> >>>> Mifos Apps that are released in production.  The Security-Overview
> wiki is
> >>>> mostly aimed at that topic.
> >>>>
> >>>> So, I think the answers to the questions may involve looking at what
> you
> >>>> are trying to convey in those wiki pages. On the wiki page, can you
> point
> >>>> out where the questions exist more specifically?
> >>>>
> >>>> Second, if there are any security framework experts on this list, an
> >>>> audit of the fineract and mifos apps, using automated security probing
> >>>> tools (info sec tools like droidsqli on the android apps) would be a
> useful
> >>>> contribution, but perhaps we should have a secured test- instance for
> that
> >>>> first. It would tell us where we are at. Yes?
> >>>>
> >>> We had some previous individuals with good expertise who were more
> >>> involved in the past. I'll try to get them re-engaged.
> >>>
> >>>
> >>>> Thanks,
> >>>> James
> >>>>
> >>>>
> >>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hello Dev,
> >>>>>
> >>>>> Below is a question which has been asked at
> >>>>> http://mifos.cloud.answerhub.com
> >>>>> *How secure is Mifos? i mean no one can attack me when i decided to
> use
> >>>>> Mifos as it is an OpenSource*
> >>>>> <
> >>>>>
> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
> >>>>> has been asked by isabane on MifosConnect
> >>>>>
> >>>>> Here are the links, which are having details with few missing
> answers on
> >>>>> important questions. Can we have updates on missing answers soon?,
> >>>>> wherein
> >>>>> it explains how good is the security architecture of mifos/fineract
> >>>>> platform
> >>>>> - *
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> >>>>> <
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> >>>>>> *
> >>>>> -
> >>>>> *
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> >>>>> <
> >>>>>
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> >>>>>> *
> >>>>> Thanks,
> >>>>> Sangamesh.N
> >>>>>
> >>> --
> >>> *Ed Cable*
> >>> President/CEO, Mifos Initiative
> >>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
> >>>
> >>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> >>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
> >>>
> >>> Mifos-developer mailing list
> >> mifos-developer@lists.sourceforge.net
> >> Unsubscribe or change settings at:
> >> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>
>

-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Re: [Mifos-developer] Question on - How secure is Mifos?

[Victor Manuel Romero Rodriguez <vi...@fintecheando.mx>]

Hello,

We have used WhiteCode in the past. For open source projects is 
available a free license.

https://www.whitesourcesoftware.com/

I think is a more complete solution.

Regards

Victor



El 20/09/18 a las 07:37, Lalit Mohan S escribió:
> I used Codacy (https://www.codacy.com/) for an open source project for
> performing static code analysis, I felt it was quite comprehensive.
>
> Also, we could explore a working relationship with Synopsys (coverity) and
> has readiness for CIT
>
> regards
> Lalit
>
> On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sa...@gmail.com>
> wrote:
>
>> Many thanks, James and Ed for valuable inputs.
>>
>> Regards,
>> Sangamesh
>>
>> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:
>>
>>> James,
>>>
>>> Once again thanks for taking the time to share your wisdom with the group
>>> and carry the conversation forward. Please see my replies inline:
>>>
>>>
>>>
>>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
>>> wrote:
>>>
>>>> Hi Sangamesh -
>>>>
>>>> As a financial system of record Mifos was designed from the beginning to
>>>> be secure on the basis of best practices in software architecture and the
>>>> use of existing code libraries for security implementation. Design-wise,
>>>> this would include having proper separation of roles, appropriate
>>>> granularity of permissions, work flow (maker checker authorization)
>>>> support, encrypted channels, runtime process isolation, audit logs, and
>>>> secured databases.
>>>>
>>>> I'd like to raise some points related to your question:
>>>> 1) Any security framework is only as strong as the weakest link.  A
>>>> database may be fully encrypted and secure but if the private encryption
>>>> keys are broadcast in the clear (a very bad idea) then you've undermined
>>>> the model.  This has happened in closed-source mobile money applications
>>>> run by reputable companies.
>>>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>>>
>>>>
>>>> 2) Open source provides a way to inspect and determine if best practices
>>>> are being followed.  One of the key issues with older security frameworks
>>>> is that too many of them rely on "security through obscurity". Mifos and
>>>> others invite inspection and bug reports.  I believe several efforts have
>>>> looked at this, but security is an ongoing effort/philosophy, not a one
>>>> time thing. Still, I wonder if we can get a white hat security team to
>>>> review a deployment of Mifos apps + fineract.  As fineract grows in
>>>> popularity (we hope and expect) this becomes more important.
>>>>
>>> Thanks to the Lalit, we actually recently had some of the usability and
>>> security researches at IDRBT do a static analysis of Mifos Mobile. I've
>>> attached the two reports that they recently completed in the last week.
>>>
>>> I also want point everyone to the static analysis and fixes that Thisura
>>> did on Fineract 1.x as part of his 2017 GSOC program -
>>> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>>>
>>>> 3) While the code may be written in the right way, operational
>>>> deployment practices are often the primary way to ensure that disparate
>>>> applications are able to be securely implemented. With the blending of
>>>> dev-ops into coding, this can be more controlled in the code, but at the
>>>> end of the day so much of security comes down to thing like "has the recent
>>>> server security patch been applied?" "has the VPN been implemented
>>>> properly?", "was the root user hard coded into the internal data calls?",
>>>> "have the passwords and keys been changed and kept secure?".
>>>>
>>>> 4) We are not adequately tracking security issues in deployments. There
>>>> are reasons why companies may not want to share this information, but, I
>>>> believe we will need to establish a security reporting process where known
>>>> Mifos or Fineract solution providers can report what they've learned and
>>>> what actions they've had to take to fend off an attack.
>>>>
>>> Apache has a well-defined security vulnerabilities policy  with a clear
>>> protocol <http://apache.org/security/committers.html>for confirming and
>>> fixing any vulnerabilities that get reported to the Security team at
>>> Apache <http://apache.org/security/> by individuals.
>>>
>>>> 5) I believe that what is needed is a Guide for Securing Mifos
>>>> applications running in production. This could be a Guide that would walk
>>>> through how to deploy and secure both the Apache fineract code and the
>>>> Mifos Apps that are released in production.  The Security-Overview wiki is
>>>> mostly aimed at that topic.
>>>>
>>>> So, I think the answers to the questions may involve looking at what you
>>>> are trying to convey in those wiki pages. On the wiki page, can you point
>>>> out where the questions exist more specifically?
>>>>
>>>> Second, if there are any security framework experts on this list, an
>>>> audit of the fineract and mifos apps, using automated security probing
>>>> tools (info sec tools like droidsqli on the android apps) would be a useful
>>>> contribution, but perhaps we should have a secured test- instance for that
>>>> first. It would tell us where we are at. Yes?
>>>>
>>> We had some previous individuals with good expertise who were more
>>> involved in the past. I'll try to get them re-engaged.
>>>
>>>
>>>> Thanks,
>>>> James
>>>>
>>>>
>>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Dev,
>>>>>
>>>>> Below is a question which has been asked at
>>>>> http://mifos.cloud.answerhub.com
>>>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>>>> Mifos as it is an OpenSource*
>>>>> <
>>>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>>>> has been asked by isabane on MifosConnect
>>>>>
>>>>> Here are the links, which are having details with few missing answers on
>>>>> important questions. Can we have updates on missing answers soon?,
>>>>> wherein
>>>>> it explains how good is the security architecture of mifos/fineract
>>>>> platform
>>>>> - *
>>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>>> <
>>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>>>> *
>>>>> -
>>>>> *
>>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>>> <
>>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>>>> *
>>>>> Thanks,
>>>>> Sangamesh.N
>>>>>
>>> --
>>> *Ed Cable*
>>> President/CEO, Mifos Initiative
>>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>>
>>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>>
>>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer

Re: [Mifos-developer] Question on - How secure is Mifos?

[Lalit Mohan S <sl...@gmail.com>]

I used Codacy (https://www.codacy.com/) for an open source project for
performing static code analysis, I felt it was quite comprehensive.

Also, we could explore a working relationship with Synopsys (coverity) and
has readiness for CIT

regards
Lalit

On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <sa...@gmail.com>
wrote:

> Many thanks, James and Ed for valuable inputs.
>
> Regards,
> Sangamesh
>
> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:
>
>> James,
>>
>> Once again thanks for taking the time to share your wisdom with the group
>> and carry the conversation forward. Please see my replies inline:
>>
>>
>>
>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
>> wrote:
>>
>>> Hi Sangamesh -
>>>
>>> As a financial system of record Mifos was designed from the beginning to
>>> be secure on the basis of best practices in software architecture and the
>>> use of existing code libraries for security implementation. Design-wise,
>>> this would include having proper separation of roles, appropriate
>>> granularity of permissions, work flow (maker checker authorization)
>>> support, encrypted channels, runtime process isolation, audit logs, and
>>> secured databases.
>>>
>>> I'd like to raise some points related to your question:
>>> 1) Any security framework is only as strong as the weakest link.  A
>>> database may be fully encrypted and secure but if the private encryption
>>> keys are broadcast in the clear (a very bad idea) then you've undermined
>>> the model.  This has happened in closed-source mobile money applications
>>> run by reputable companies.
>>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>>
>>>
>>> 2) Open source provides a way to inspect and determine if best practices
>>> are being followed.  One of the key issues with older security frameworks
>>> is that too many of them rely on "security through obscurity". Mifos and
>>> others invite inspection and bug reports.  I believe several efforts have
>>> looked at this, but security is an ongoing effort/philosophy, not a one
>>> time thing. Still, I wonder if we can get a white hat security team to
>>> review a deployment of Mifos apps + fineract.  As fineract grows in
>>> popularity (we hope and expect) this becomes more important.
>>>
>>
>> Thanks to the Lalit, we actually recently had some of the usability and
>> security researches at IDRBT do a static analysis of Mifos Mobile. I've
>> attached the two reports that they recently completed in the last week.
>>
>> I also want point everyone to the static analysis and fixes that Thisura
>> did on Fineract 1.x as part of his 2017 GSOC program -
>> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>>
>>>
>>> 3) While the code may be written in the right way, operational
>>> deployment practices are often the primary way to ensure that disparate
>>> applications are able to be securely implemented. With the blending of
>>> dev-ops into coding, this can be more controlled in the code, but at the
>>> end of the day so much of security comes down to thing like "has the recent
>>> server security patch been applied?" "has the VPN been implemented
>>> properly?", "was the root user hard coded into the internal data calls?",
>>> "have the passwords and keys been changed and kept secure?".
>>>
>>> 4) We are not adequately tracking security issues in deployments. There
>>> are reasons why companies may not want to share this information, but, I
>>> believe we will need to establish a security reporting process where known
>>> Mifos or Fineract solution providers can report what they've learned and
>>> what actions they've had to take to fend off an attack.
>>>
>>
>> Apache has a well-defined security vulnerabilities policy  with a clear
>> protocol <http://apache.org/security/committers.html>for confirming and
>> fixing any vulnerabilities that get reported to the Security team at
>> Apache <http://apache.org/security/> by individuals.
>>
>>>
>>> 5) I believe that what is needed is a Guide for Securing Mifos
>>> applications running in production. This could be a Guide that would walk
>>> through how to deploy and secure both the Apache fineract code and the
>>> Mifos Apps that are released in production.  The Security-Overview wiki is
>>> mostly aimed at that topic.
>>>
>>> So, I think the answers to the questions may involve looking at what you
>>> are trying to convey in those wiki pages. On the wiki page, can you point
>>> out where the questions exist more specifically?
>>>
>>> Second, if there are any security framework experts on this list, an
>>> audit of the fineract and mifos apps, using automated security probing
>>> tools (info sec tools like droidsqli on the android apps) would be a useful
>>> contribution, but perhaps we should have a secured test- instance for that
>>> first. It would tell us where we are at. Yes?
>>>
>>
>> We had some previous individuals with good expertise who were more
>> involved in the past. I'll try to get them re-engaged.
>>
>>
>>>
>>> Thanks,
>>> James
>>>
>>>
>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
>>> wrote:
>>>
>>>> Hello Dev,
>>>>
>>>> Below is a question which has been asked at
>>>> http://mifos.cloud.answerhub.com
>>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>>> Mifos as it is an OpenSource*
>>>> <
>>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>>> >
>>>> has been asked by isabane on MifosConnect
>>>>
>>>> Here are the links, which are having details with few missing answers on
>>>> important questions. Can we have updates on missing answers soon?,
>>>> wherein
>>>> it explains how good is the security architecture of mifos/fineract
>>>> platform
>>>> - *
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>> <
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>>> >*
>>>> -
>>>> *
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>> <
>>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>>> >*
>>>>
>>>> Thanks,
>>>> Sangamesh.N
>>>>
>>>
>>
>> --
>> *Ed Cable*
>> President/CEO, Mifos Initiative
>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>
>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>
>> Mifos-developer mailing list
> mifos-developer@lists.sourceforge.net
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/lists/listinfo/mifos-developer

Re: Question on - How secure is Mifos?

[sangamesh n <sa...@gmail.com>]

Many thanks, James and Ed for valuable inputs.

Regards,
Sangamesh

On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:

> James,
>
> Once again thanks for taking the time to share your wisdom with the group
> and carry the conversation forward. Please see my replies inline:
>
>
>
> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
> wrote:
>
>> Hi Sangamesh -
>>
>> As a financial system of record Mifos was designed from the beginning to
>> be secure on the basis of best practices in software architecture and the
>> use of existing code libraries for security implementation. Design-wise,
>> this would include having proper separation of roles, appropriate
>> granularity of permissions, work flow (maker checker authorization)
>> support, encrypted channels, runtime process isolation, audit logs, and
>> secured databases.
>>
>> I'd like to raise some points related to your question:
>> 1) Any security framework is only as strong as the weakest link.  A
>> database may be fully encrypted and secure but if the private encryption
>> keys are broadcast in the clear (a very bad idea) then you've undermined
>> the model.  This has happened in closed-source mobile money applications
>> run by reputable companies.
>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>
>>
>> 2) Open source provides a way to inspect and determine if best practices
>> are being followed.  One of the key issues with older security frameworks
>> is that too many of them rely on "security through obscurity". Mifos and
>> others invite inspection and bug reports.  I believe several efforts have
>> looked at this, but security is an ongoing effort/philosophy, not a one
>> time thing. Still, I wonder if we can get a white hat security team to
>> review a deployment of Mifos apps + fineract.  As fineract grows in
>> popularity (we hope and expect) this becomes more important.
>>
>
> Thanks to the Lalit, we actually recently had some of the usability and
> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> attached the two reports that they recently completed in the last week.
>
> I also want point everyone to the static analysis and fixes that Thisura
> did on Fineract 1.x as part of his 2017 GSOC program -
> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>
>>
>> 3) While the code may be written in the right way, operational deployment
>> practices are often the primary way to ensure that disparate applications
>> are able to be securely implemented. With the blending of dev-ops into
>> coding, this can be more controlled in the code, but at the end of the day
>> so much of security comes down to thing like "has the recent server
>> security patch been applied?" "has the VPN been implemented properly?",
>> "was the root user hard coded into the internal data calls?",  "have the
>> passwords and keys been changed and kept secure?".
>>
>> 4) We are not adequately tracking security issues in deployments. There
>> are reasons why companies may not want to share this information, but, I
>> believe we will need to establish a security reporting process where known
>> Mifos or Fineract solution providers can report what they've learned and
>> what actions they've had to take to fend off an attack.
>>
>
> Apache has a well-defined security vulnerabilities policy  with a clear
> protocol <http://apache.org/security/committers.html>for confirming and
> fixing any vulnerabilities that get reported to the Security team at
> Apache <http://apache.org/security/> by individuals.
>
>>
>> 5) I believe that what is needed is a Guide for Securing Mifos
>> applications running in production. This could be a Guide that would walk
>> through how to deploy and secure both the Apache fineract code and the
>> Mifos Apps that are released in production.  The Security-Overview wiki is
>> mostly aimed at that topic.
>>
>> So, I think the answers to the questions may involve looking at what you
>> are trying to convey in those wiki pages. On the wiki page, can you point
>> out where the questions exist more specifically?
>>
>> Second, if there are any security framework experts on this list, an
>> audit of the fineract and mifos apps, using automated security probing
>> tools (info sec tools like droidsqli on the android apps) would be a useful
>> contribution, but perhaps we should have a secured test- instance for that
>> first. It would tell us where we are at. Yes?
>>
>
> We had some previous individuals with good expertise who were more
> involved in the past. I'll try to get them re-engaged.
>
>
>>
>> Thanks,
>> James
>>
>>
>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
>> wrote:
>>
>>> Hello Dev,
>>>
>>> Below is a question which has been asked at
>>> http://mifos.cloud.answerhub.com
>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>> Mifos as it is an OpenSource*
>>> <
>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>> >
>>> has been asked by isabane on MifosConnect
>>>
>>> Here are the links, which are having details with few missing answers on
>>> important questions. Can we have updates on missing answers soon?,
>>> wherein
>>> it explains how good is the security architecture of mifos/fineract
>>> platform
>>> - *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> >*
>>> -
>>> *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> >*
>>>
>>> Thanks,
>>> Sangamesh.N
>>>
>>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>
>

Re: Question on - How secure is Mifos?

[sangamesh n <sa...@gmail.com>]

Many thanks, James and Ed for valuable inputs.

Regards,
Sangamesh

On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <ed...@mifos.org> wrote:

> James,
>
> Once again thanks for taking the time to share your wisdom with the group
> and carry the conversation forward. Please see my replies inline:
>
>
>
> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
> wrote:
>
>> Hi Sangamesh -
>>
>> As a financial system of record Mifos was designed from the beginning to
>> be secure on the basis of best practices in software architecture and the
>> use of existing code libraries for security implementation. Design-wise,
>> this would include having proper separation of roles, appropriate
>> granularity of permissions, work flow (maker checker authorization)
>> support, encrypted channels, runtime process isolation, audit logs, and
>> secured databases.
>>
>> I'd like to raise some points related to your question:
>> 1) Any security framework is only as strong as the weakest link.  A
>> database may be fully encrypted and secure but if the private encryption
>> keys are broadcast in the clear (a very bad idea) then you've undermined
>> the model.  This has happened in closed-source mobile money applications
>> run by reputable companies.
>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>
>>
>> 2) Open source provides a way to inspect and determine if best practices
>> are being followed.  One of the key issues with older security frameworks
>> is that too many of them rely on "security through obscurity". Mifos and
>> others invite inspection and bug reports.  I believe several efforts have
>> looked at this, but security is an ongoing effort/philosophy, not a one
>> time thing. Still, I wonder if we can get a white hat security team to
>> review a deployment of Mifos apps + fineract.  As fineract grows in
>> popularity (we hope and expect) this becomes more important.
>>
>
> Thanks to the Lalit, we actually recently had some of the usability and
> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> attached the two reports that they recently completed in the last week.
>
> I also want point everyone to the static analysis and fixes that Thisura
> did on Fineract 1.x as part of his 2017 GSOC program -
> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>
>>
>> 3) While the code may be written in the right way, operational deployment
>> practices are often the primary way to ensure that disparate applications
>> are able to be securely implemented. With the blending of dev-ops into
>> coding, this can be more controlled in the code, but at the end of the day
>> so much of security comes down to thing like "has the recent server
>> security patch been applied?" "has the VPN been implemented properly?",
>> "was the root user hard coded into the internal data calls?",  "have the
>> passwords and keys been changed and kept secure?".
>>
>> 4) We are not adequately tracking security issues in deployments. There
>> are reasons why companies may not want to share this information, but, I
>> believe we will need to establish a security reporting process where known
>> Mifos or Fineract solution providers can report what they've learned and
>> what actions they've had to take to fend off an attack.
>>
>
> Apache has a well-defined security vulnerabilities policy  with a clear
> protocol <http://apache.org/security/committers.html>for confirming and
> fixing any vulnerabilities that get reported to the Security team at
> Apache <http://apache.org/security/> by individuals.
>
>>
>> 5) I believe that what is needed is a Guide for Securing Mifos
>> applications running in production. This could be a Guide that would walk
>> through how to deploy and secure both the Apache fineract code and the
>> Mifos Apps that are released in production.  The Security-Overview wiki is
>> mostly aimed at that topic.
>>
>> So, I think the answers to the questions may involve looking at what you
>> are trying to convey in those wiki pages. On the wiki page, can you point
>> out where the questions exist more specifically?
>>
>> Second, if there are any security framework experts on this list, an
>> audit of the fineract and mifos apps, using automated security probing
>> tools (info sec tools like droidsqli on the android apps) would be a useful
>> contribution, but perhaps we should have a secured test- instance for that
>> first. It would tell us where we are at. Yes?
>>
>
> We had some previous individuals with good expertise who were more
> involved in the past. I'll try to get them re-engaged.
>
>
>>
>> Thanks,
>> James
>>
>>
>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
>> wrote:
>>
>>> Hello Dev,
>>>
>>> Below is a question which has been asked at
>>> http://mifos.cloud.answerhub.com
>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>> Mifos as it is an OpenSource*
>>> <
>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>> >
>>> has been asked by isabane on MifosConnect
>>>
>>> Here are the links, which are having details with few missing answers on
>>> important questions. Can we have updates on missing answers soon?,
>>> wherein
>>> it explains how good is the security architecture of mifos/fineract
>>> platform
>>> - *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> >*
>>> -
>>> *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> >*
>>>
>>> Thanks,
>>> Sangamesh.N
>>>
>>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>
>

Re: Question on - How secure is Mifos?

[Ed Cable <ed...@mifos.org>]

James,

Once again thanks for taking the time to share your wisdom with the group
and carry the conversation forward. Please see my replies inline:



On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
wrote:

> Hi Sangamesh -
>
> As a financial system of record Mifos was designed from the beginning to
> be secure on the basis of best practices in software architecture and the
> use of existing code libraries for security implementation. Design-wise,
> this would include having proper separation of roles, appropriate
> granularity of permissions, work flow (maker checker authorization)
> support, encrypted channels, runtime process isolation, audit logs, and
> secured databases.
>
> I'd like to raise some points related to your question:
> 1) Any security framework is only as strong as the weakest link.  A
> database may be fully encrypted and secure but if the private encryption
> keys are broadcast in the clear (a very bad idea) then you've undermined
> the model.  This has happened in closed-source mobile money applications
> run by reputable companies.
> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>
>
> 2) Open source provides a way to inspect and determine if best practices
> are being followed.  One of the key issues with older security frameworks
> is that too many of them rely on "security through obscurity". Mifos and
> others invite inspection and bug reports.  I believe several efforts have
> looked at this, but security is an ongoing effort/philosophy, not a one
> time thing. Still, I wonder if we can get a white hat security team to
> review a deployment of Mifos apps + fineract.  As fineract grows in
> popularity (we hope and expect) this becomes more important.
>

Thanks to the Lalit, we actually recently had some of the usability and
security researches at IDRBT do a static analysis of Mifos Mobile. I've
attached the two reports that they recently completed in the last week.

I also want point everyone to the static analysis and fixes that Thisura
did on Fineract 1.x as part of his 2017 GSOC program -
https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit

>
> 3) While the code may be written in the right way, operational deployment
> practices are often the primary way to ensure that disparate applications
> are able to be securely implemented. With the blending of dev-ops into
> coding, this can be more controlled in the code, but at the end of the day
> so much of security comes down to thing like "has the recent server
> security patch been applied?" "has the VPN been implemented properly?",
> "was the root user hard coded into the internal data calls?",  "have the
> passwords and keys been changed and kept secure?".
>
> 4) We are not adequately tracking security issues in deployments. There
> are reasons why companies may not want to share this information, but, I
> believe we will need to establish a security reporting process where known
> Mifos or Fineract solution providers can report what they've learned and
> what actions they've had to take to fend off an attack.
>

Apache has a well-defined security vulnerabilities policy  with a clear
protocol <http://apache.org/security/committers.html>for confirming and
fixing any vulnerabilities that get reported to the Security team at Apache
<http://apache.org/security/> by individuals.

>
> 5) I believe that what is needed is a Guide for Securing Mifos
> applications running in production. This could be a Guide that would walk
> through how to deploy and secure both the Apache fineract code and the
> Mifos Apps that are released in production.  The Security-Overview wiki is
> mostly aimed at that topic.
>
> So, I think the answers to the questions may involve looking at what you
> are trying to convey in those wiki pages. On the wiki page, can you point
> out where the questions exist more specifically?
>
> Second, if there are any security framework experts on this list, an audit
> of the fineract and mifos apps, using automated security probing tools
> (info sec tools like droidsqli on the android apps) would be a useful
> contribution, but perhaps we should have a secured test- instance for that
> first. It would tell us where we are at. Yes?
>

We had some previous individuals with good expertise who were more involved
in the past. I'll try to get them re-engaged.


>
> Thanks,
> James
>
>
> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
> wrote:
>
>> Hello Dev,
>>
>> Below is a question which has been asked at
>> http://mifos.cloud.answerhub.com
>> *How secure is Mifos? i mean no one can attack me when i decided to use
>> Mifos as it is an OpenSource*
>> <
>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>> >
>> has been asked by isabane on MifosConnect
>>
>> Here are the links, which are having details with few missing answers on
>> important questions. Can we have updates on missing answers soon?, wherein
>> it explains how good is the security architecture of mifos/fineract
>> platform
>> - *
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> <
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> >*
>> -
>> *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> <https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> >*
>>
>> Thanks,
>> Sangamesh.N
>>
>

-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Re: Question on - How secure is Mifos?

[Ed Cable <ed...@mifos.org>]

James,

Once again thanks for taking the time to share your wisdom with the group
and carry the conversation forward. Please see my replies inline:



On Wed, Sep 19, 2018 at 10:18 AM James Dailey <ja...@gmail.com>
wrote:

> Hi Sangamesh -
>
> As a financial system of record Mifos was designed from the beginning to
> be secure on the basis of best practices in software architecture and the
> use of existing code libraries for security implementation. Design-wise,
> this would include having proper separation of roles, appropriate
> granularity of permissions, work flow (maker checker authorization)
> support, encrypted channels, runtime process isolation, audit logs, and
> secured databases.
>
> I'd like to raise some points related to your question:
> 1) Any security framework is only as strong as the weakest link.  A
> database may be fully encrypted and secure but if the private encryption
> keys are broadcast in the clear (a very bad idea) then you've undermined
> the model.  This has happened in closed-source mobile money applications
> run by reputable companies.
> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>
>
> 2) Open source provides a way to inspect and determine if best practices
> are being followed.  One of the key issues with older security frameworks
> is that too many of them rely on "security through obscurity". Mifos and
> others invite inspection and bug reports.  I believe several efforts have
> looked at this, but security is an ongoing effort/philosophy, not a one
> time thing. Still, I wonder if we can get a white hat security team to
> review a deployment of Mifos apps + fineract.  As fineract grows in
> popularity (we hope and expect) this becomes more important.
>

Thanks to the Lalit, we actually recently had some of the usability and
security researches at IDRBT do a static analysis of Mifos Mobile. I've
attached the two reports that they recently completed in the last week.

I also want point everyone to the static analysis and fixes that Thisura
did on Fineract 1.x as part of his 2017 GSOC program -
https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit

>
> 3) While the code may be written in the right way, operational deployment
> practices are often the primary way to ensure that disparate applications
> are able to be securely implemented. With the blending of dev-ops into
> coding, this can be more controlled in the code, but at the end of the day
> so much of security comes down to thing like "has the recent server
> security patch been applied?" "has the VPN been implemented properly?",
> "was the root user hard coded into the internal data calls?",  "have the
> passwords and keys been changed and kept secure?".
>
> 4) We are not adequately tracking security issues in deployments. There
> are reasons why companies may not want to share this information, but, I
> believe we will need to establish a security reporting process where known
> Mifos or Fineract solution providers can report what they've learned and
> what actions they've had to take to fend off an attack.
>

Apache has a well-defined security vulnerabilities policy  with a clear
protocol <http://apache.org/security/committers.html>for confirming and
fixing any vulnerabilities that get reported to the Security team at Apache
<http://apache.org/security/> by individuals.

>
> 5) I believe that what is needed is a Guide for Securing Mifos
> applications running in production. This could be a Guide that would walk
> through how to deploy and secure both the Apache fineract code and the
> Mifos Apps that are released in production.  The Security-Overview wiki is
> mostly aimed at that topic.
>
> So, I think the answers to the questions may involve looking at what you
> are trying to convey in those wiki pages. On the wiki page, can you point
> out where the questions exist more specifically?
>
> Second, if there are any security framework experts on this list, an audit
> of the fineract and mifos apps, using automated security probing tools
> (info sec tools like droidsqli on the android apps) would be a useful
> contribution, but perhaps we should have a secured test- instance for that
> first. It would tell us where we are at. Yes?
>

We had some previous individuals with good expertise who were more involved
in the past. I'll try to get them re-engaged.


>
> Thanks,
> James
>
>
> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com>
> wrote:
>
>> Hello Dev,
>>
>> Below is a question which has been asked at
>> http://mifos.cloud.answerhub.com
>> *How secure is Mifos? i mean no one can attack me when i decided to use
>> Mifos as it is an OpenSource*
>> <
>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>> >
>> has been asked by isabane on MifosConnect
>>
>> Here are the links, which are having details with few missing answers on
>> important questions. Can we have updates on missing answers soon?, wherein
>> it explains how good is the security architecture of mifos/fineract
>> platform
>> - *
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> <
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> >*
>> -
>> *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> <https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> >*
>>
>> Thanks,
>> Sangamesh.N
>>
>

-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Re: Question on - How secure is Mifos?

[James Dailey <ja...@gmail.com>]

Hi Sangamesh -

As a financial system of record Mifos was designed from the beginning to be
secure on the basis of best practices in software architecture and the use
of existing code libraries for security implementation. Design-wise, this
would include having proper separation of roles, appropriate granularity of
permissions, work flow (maker checker authorization) support, encrypted
channels, runtime process isolation, audit logs, and secured databases.

I'd like to raise some points related to your question:
1) Any security framework is only as strong as the weakest link.  A
database may be fully encrypted and secure but if the private encryption
keys are broadcast in the clear (a very bad idea) then you've undermined
the model.  This has happened in closed-source mobile money applications
run by reputable companies.
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf


2) Open source provides a way to inspect and determine if best practices
are being followed.  One of the key issues with older security frameworks
is that too many of them rely on "security through obscurity". Mifos and
others invite inspection and bug reports.  I believe several efforts have
looked at this, but security is an ongoing effort/philosophy, not a one
time thing. Still, I wonder if we can get a white hat security team to
review a deployment of Mifos apps + fineract.  As fineract grows in
popularity (we hope and expect) this becomes more important.

3) While the code may be written in the right way, operational deployment
practices are often the primary way to ensure that disparate applications
are able to be securely implemented. With the blending of dev-ops into
coding, this can be more controlled in the code, but at the end of the day
so much of security comes down to thing like "has the recent server
security patch been applied?" "has the VPN been implemented properly?",
"was the root user hard coded into the internal data calls?",  "have the
passwords and keys been changed and kept secure?".

4) We are not adequately tracking security issues in deployments. There are
reasons why companies may not want to share this information, but, I
believe we will need to establish a security reporting process where known
Mifos or Fineract solution providers can report what they've learned and
what actions they've had to take to fend off an attack.

5) I believe that what is needed is a Guide for Securing Mifos applications
running in production. This could be a Guide that would walk through how to
deploy and secure both the Apache fineract code and the Mifos Apps that are
released in production.  The Security-Overview wiki is mostly aimed at that
topic.

So, I think the answers to the questions may involve looking at what you
are trying to convey in those wiki pages. On the wiki page, can you point
out where the questions exist more specifically?

Second, if there are any security framework experts on this list, an audit
of the fineract and mifos apps, using automated security probing tools
(info sec tools like droidsqli on the android apps) would be a useful
contribution, but perhaps we should have a secured test- instance for that
first. It would tell us where we are at. Yes?

Thanks,
James


On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sa...@gmail.com> wrote:

> Hello Dev,
>
> Below is a question which has been asked at
> http://mifos.cloud.answerhub.com
> *How secure is Mifos? i mean no one can attack me when i decided to use
> Mifos as it is an OpenSource*
> <
> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
> >
> has been asked by isabane on MifosConnect
>
> Here are the links, which are having details with few missing answers on
> important questions. Can we have updates on missing answers soon?, wherein
> it explains how good is the security architecture of mifos/fineract
> platform
> - *
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> <
> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
> >*
> -
> *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> <https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
> >*
>
> Thanks,
> Sangamesh.N
>