I used Codacy (https://www.codacy.com/) for an open source project for performing static code analysis, I felt it was quite comprehensive.
Also, we could explore a working relationship with Synopsys (coverity) and has readiness for CIT regards Lalit On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <[email protected]> wrote: > Many thanks, James and Ed for valuable inputs. > > Regards, > Sangamesh > > On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <[email protected]> wrote: > >> James, >> >> Once again thanks for taking the time to share your wisdom with the group >> and carry the conversation forward. Please see my replies inline: >> >> >> >> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <[email protected]> >> wrote: >> >>> Hi Sangamesh - >>> >>> As a financial system of record Mifos was designed from the beginning to >>> be secure on the basis of best practices in software architecture and the >>> use of existing code libraries for security implementation. Design-wise, >>> this would include having proper separation of roles, appropriate >>> granularity of permissions, work flow (maker checker authorization) >>> support, encrypted channels, runtime process isolation, audit logs, and >>> secured databases. >>> >>> I'd like to raise some points related to your question: >>> 1) Any security framework is only as strong as the weakest link. A >>> database may be fully encrypted and secure but if the private encryption >>> keys are broadcast in the clear (a very bad idea) then you've undermined >>> the model. This has happened in closed-source mobile money applications >>> run by reputable companies. >>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf >>> >>> >>> 2) Open source provides a way to inspect and determine if best practices >>> are being followed. One of the key issues with older security frameworks >>> is that too many of them rely on "security through obscurity". Mifos and >>> others invite inspection and bug reports. I believe several efforts have >>> looked at this, but security is an ongoing effort/philosophy, not a one >>> time thing. Still, I wonder if we can get a white hat security team to >>> review a deployment of Mifos apps + fineract. As fineract grows in >>> popularity (we hope and expect) this becomes more important. >>> >> >> Thanks to the Lalit, we actually recently had some of the usability and >> security researches at IDRBT do a static analysis of Mifos Mobile. I've >> attached the two reports that they recently completed in the last week. >> >> I also want point everyone to the static analysis and fixes that Thisura >> did on Fineract 1.x as part of his 2017 GSOC program - >> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit >> >>> >>> 3) While the code may be written in the right way, operational >>> deployment practices are often the primary way to ensure that disparate >>> applications are able to be securely implemented. With the blending of >>> dev-ops into coding, this can be more controlled in the code, but at the >>> end of the day so much of security comes down to thing like "has the recent >>> server security patch been applied?" "has the VPN been implemented >>> properly?", "was the root user hard coded into the internal data calls?", >>> "have the passwords and keys been changed and kept secure?". >>> >>> 4) We are not adequately tracking security issues in deployments. There >>> are reasons why companies may not want to share this information, but, I >>> believe we will need to establish a security reporting process where known >>> Mifos or Fineract solution providers can report what they've learned and >>> what actions they've had to take to fend off an attack. >>> >> >> Apache has a well-defined security vulnerabilities policy with a clear >> protocol <http://apache.org/security/committers.html>for confirming and >> fixing any vulnerabilities that get reported to the Security team at >> Apache <http://apache.org/security/> by individuals. >> >>> >>> 5) I believe that what is needed is a Guide for Securing Mifos >>> applications running in production. This could be a Guide that would walk >>> through how to deploy and secure both the Apache fineract code and the >>> Mifos Apps that are released in production. The Security-Overview wiki is >>> mostly aimed at that topic. >>> >>> So, I think the answers to the questions may involve looking at what you >>> are trying to convey in those wiki pages. On the wiki page, can you point >>> out where the questions exist more specifically? >>> >>> Second, if there are any security framework experts on this list, an >>> audit of the fineract and mifos apps, using automated security probing >>> tools (info sec tools like droidsqli on the android apps) would be a useful >>> contribution, but perhaps we should have a secured test- instance for that >>> first. It would tell us where we are at. Yes? >>> >> >> We had some previous individuals with good expertise who were more >> involved in the past. I'll try to get them re-engaged. >> >> >>> >>> Thanks, >>> James >>> >>> >>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <[email protected]> >>> wrote: >>> >>>> Hello Dev, >>>> >>>> Below is a question which has been asked at >>>> http://mifos.cloud.answerhub.com >>>> *How secure is Mifos? i mean no one can attack me when i decided to use >>>> Mifos as it is an OpenSource* >>>> < >>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html >>>> > >>>> has been asked by isabane on MifosConnect >>>> >>>> Here are the links, which are having details with few missing answers on >>>> important questions. Can we have updates on missing answers soon?, >>>> wherein >>>> it explains how good is the security architecture of mifos/fineract >>>> platform >>>> - * >>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview >>>> < >>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview >>>> >* >>>> - >>>> * >>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model >>>> < >>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model >>>> >* >>>> >>>> Thanks, >>>> Sangamesh.N >>>> >>> >> >> -- >> *Ed Cable* >> President/CEO, Mifos Initiative >> [email protected] | Skype: edcable | Mobile: +1.484.477.8649 >> >> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org >> <http://facebook.com/mifos> <http://www.twitter.com/mifos> >> >> Mifos-developer mailing list > [email protected] > Unsubscribe or change settings at: > https://lists.sourceforge.net/lists/listinfo/mifos-developer
