fineract-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Cable <edca...@mifos.org>
Subject Re: Question on - How secure is Mifos?
Date Wed, 19 Sep 2018 17:51:02 GMT
James,

Once again thanks for taking the time to share your wisdom with the group
and carry the conversation forward. Please see my replies inline:



On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@gmail.com>
wrote:

> Hi Sangamesh -
>
> As a financial system of record Mifos was designed from the beginning to
> be secure on the basis of best practices in software architecture and the
> use of existing code libraries for security implementation. Design-wise,
> this would include having proper separation of roles, appropriate
> granularity of permissions, work flow (maker checker authorization)
> support, encrypted channels, runtime process isolation, audit logs, and
> secured databases.
>
> I'd like to raise some points related to your question:
> 1) Any security framework is only as strong as the weakest link.  A
> database may be fully encrypted and secure but if the private encryption
> keys are broadcast in the clear (a very bad idea) then you've undermined
> the model.  This has happened in closed-source mobile money applications
> run by reputable companies.
> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>
>
> 2) Open source provides a way to inspect and determine if best practices
> are being followed.  One of the key issues with older security frameworks
> is that too many of them rely on "security through obscurity". Mifos and
> others invite inspection and bug reports.  I believe several efforts have
> looked at this, but security is an ongoing effort/philosophy, not a one
> time thing. Still, I wonder if we can get a white hat security team to
> review a deployment of Mifos apps + fineract.  As fineract grows in
> popularity (we hope and expect) this becomes more important.
>

Thanks to the Lalit, we actually recently had some of the usability and
security researches at IDRBT do a static analysis of Mifos Mobile. I've
attached the two reports that they recently completed in the last week.

I also want point everyone to the static analysis and fixes that Thisura
did on Fineract 1.x as part of his 2017 GSOC program -
https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit

>
> 3) While the code may be written in the right way, operational deployment
> practices are often the primary way to ensure that disparate applications
> are able to be securely implemented. With the blending of dev-ops into
> coding, this can be more controlled in the code, but at the end of the day
> so much of security comes down to thing like "has the recent server
> security patch been applied?" "has the VPN been implemented properly?",
> "was the root user hard coded into the internal data calls?",  "have the
> passwords and keys been changed and kept secure?".
>
> 4) We are not adequately tracking security issues in deployments. There
> are reasons why companies may not want to share this information, but, I
> believe we will need to establish a security reporting process where known
> Mifos or Fineract solution providers can report what they've learned and
> what actions they've had to take to fend off an attack.
>

Apache has a well-defined security vulnerabilities policy  with a clear
protocol <http://apache.org/security/committers.html>for confirming and
fixing any vulnerabilities that get reported to the Security team at Apache
<http://apache.org/security/> by individuals.

>
> 5) I believe that what is needed is a Guide for Securing Mifos
> applications running in production. This could be a Guide that would walk
> through how to deploy and secure both the Apache fineract code and the
> Mifos Apps that are released in production.  The Security-Overview wiki is
> mostly aimed at that topic.
>
> So, I think the answers to the questions may involve looking at what you
> are trying to convey in those wiki pages. On the wiki page, can you point
> out where the questions exist more specifically?
>
> Second, if there are any security framework experts on this list, an audit
> of the fineract and mifos apps, using automated security probing tools
> (info sec tools like droidsqli on the android apps) would be a useful
> contribution, but perhaps we should have a secured test- instance for that
> first. It would tell us where we are at. Yes?
>

We had some previous individuals with good expertise who were more involved
in the past. I'll try to get them re-engaged.


>
> Thanks,
> James
>
>
> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@gmail.com>
> wrote:
>
>> Hello Dev,
>>
>> Below is a question which has been asked at
>> http://mifos.cloud.answerhub.com
>> *How secure is Mifos? i mean no one can attack me when i decided to use
>> Mifos as it is an OpenSource*
>> <
>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>> >
>> has been asked by isabane on MifosConnect
>>
>> Here are the links, which are having details with few missing answers on
>> important questions. Can we have updates on missing answers soon?, wherein
>> it explains how good is the security architecture of mifos/fineract
>> platform
>> - *
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> <
>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>> >*
>> -
>> *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> <https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>> >*
>>
>> Thanks,
>> Sangamesh.N
>>
>

-- 
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Mime
View raw message