You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Sanyam Goel (Jira)" <ji...@apache.org> on 2020/03/20 17:18:00 UTC

[jira] [Created] (FINCN-214) Static Analysis and Vulnerability Scanning of Apache Fineract CN

Sanyam Goel created FINCN-214:
---------------------------------

             Summary: Static Analysis and Vulnerability Scanning of Apache Fineract CN 
                 Key: FINCN-214
                 URL: https://issues.apache.org/jira/browse/FINCN-214
             Project: Fineract Cloud Native
          Issue Type: Improvement
            Reporter: Sanyam Goel


|*Overview & Objectives*
As our product is core banking platform and our clients are financial institutions, we strive hard to make our code base as secure as possible. However, due to ever increasing security threats and vulnerabilities, it is the need of hour that we analyze our code base in depth for security vulnerabilities. During pull request merge process, we have a process in place wherein we do peer code review,QA and integration tests. This practice has been very effective and our community is already reaping the benefits of such a strong code review process. However, we should test our code against the standard vulnerabilities which have been identified by reputed organisations like [Mitre|https://www.mitre.org/] to gain more confidence. It has become a critical part of independent and partner-led deployments|
|*Description*
We can make use of opensource tools like [Jlint|http://jlint.sourceforge.net/], [Findbugs|http://findbugs.sourceforge.net/] , [SonarQube|https://www.sonarqube.org/] or frameworks like  [Total output Integration Framework (TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by companies dedicated to produce military grade secure systems. As our environments become more containerized we can also utilize tools like: [Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and [Docker Bench for Security|https://github.com/docker/docker-bench-security]
It would be worthwhile, if we can dedicate one GSOC project for this analysis. The student would be responsible to analyse the findings, generate reports, identify if it is really a bug and then submit a fix after consultation from the community. Of course, the student needs to demonstrate some basic understanding of security vulnerabilities( like buffer overflow etc) and should have some academic level of experience working with static analysis tools.
 |
|*Helpful Skills*
*Java (Spring/JPA/Jersey), SQL , JavaScript , Git, Apache POI*|
|*Impact*
Improved security keeping the integrity and privacy of the underbank's financial data intact.|
|[*Other Resources*
Static Analysis of Apache Fineract Project- A GSOC project idea|https://mifosforge.jira.com/wiki/spaces/projects/pages/183063580/Static+Analysis+of+Apache+Fineract+Project-+A+GSOC+project+idea]|



--
This message was sent by Atlassian Jira
(v8.3.4#803005)