fineract-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Cable <>
Subject Re: Question on - How secure is Mifos?
Date Wed, 19 Sep 2018 17:51:02 GMT

Once again thanks for taking the time to share your wisdom with the group
and carry the conversation forward. Please see my replies inline:

On Wed, Sep 19, 2018 at 10:18 AM James Dailey <>

> Hi Sangamesh -
> As a financial system of record Mifos was designed from the beginning to
> be secure on the basis of best practices in software architecture and the
> use of existing code libraries for security implementation. Design-wise,
> this would include having proper separation of roles, appropriate
> granularity of permissions, work flow (maker checker authorization)
> support, encrypted channels, runtime process isolation, audit logs, and
> secured databases.
> I'd like to raise some points related to your question:
> 1) Any security framework is only as strong as the weakest link.  A
> database may be fully encrypted and secure but if the private encryption
> keys are broadcast in the clear (a very bad idea) then you've undermined
> the model.  This has happened in closed-source mobile money applications
> run by reputable companies.
> 2) Open source provides a way to inspect and determine if best practices
> are being followed.  One of the key issues with older security frameworks
> is that too many of them rely on "security through obscurity". Mifos and
> others invite inspection and bug reports.  I believe several efforts have
> looked at this, but security is an ongoing effort/philosophy, not a one
> time thing. Still, I wonder if we can get a white hat security team to
> review a deployment of Mifos apps + fineract.  As fineract grows in
> popularity (we hope and expect) this becomes more important.

Thanks to the Lalit, we actually recently had some of the usability and
security researches at IDRBT do a static analysis of Mifos Mobile. I've
attached the two reports that they recently completed in the last week.

I also want point everyone to the static analysis and fixes that Thisura
did on Fineract 1.x as part of his 2017 GSOC program -

> 3) While the code may be written in the right way, operational deployment
> practices are often the primary way to ensure that disparate applications
> are able to be securely implemented. With the blending of dev-ops into
> coding, this can be more controlled in the code, but at the end of the day
> so much of security comes down to thing like "has the recent server
> security patch been applied?" "has the VPN been implemented properly?",
> "was the root user hard coded into the internal data calls?",  "have the
> passwords and keys been changed and kept secure?".
> 4) We are not adequately tracking security issues in deployments. There
> are reasons why companies may not want to share this information, but, I
> believe we will need to establish a security reporting process where known
> Mifos or Fineract solution providers can report what they've learned and
> what actions they've had to take to fend off an attack.

Apache has a well-defined security vulnerabilities policy  with a clear
protocol <>for confirming and
fixing any vulnerabilities that get reported to the Security team at Apache
<> by individuals.

> 5) I believe that what is needed is a Guide for Securing Mifos
> applications running in production. This could be a Guide that would walk
> through how to deploy and secure both the Apache fineract code and the
> Mifos Apps that are released in production.  The Security-Overview wiki is
> mostly aimed at that topic.
> So, I think the answers to the questions may involve looking at what you
> are trying to convey in those wiki pages. On the wiki page, can you point
> out where the questions exist more specifically?
> Second, if there are any security framework experts on this list, an audit
> of the fineract and mifos apps, using automated security probing tools
> (info sec tools like droidsqli on the android apps) would be a useful
> contribution, but perhaps we should have a secured test- instance for that
> first. It would tell us where we are at. Yes?

We had some previous individuals with good expertise who were more involved
in the past. I'll try to get them re-engaged.

> Thanks,
> James
> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <>
> wrote:
>> Hello Dev,
>> Below is a question which has been asked at
>> *How secure is Mifos? i mean no one can attack me when i decided to use
>> Mifos as it is an OpenSource*
>> <
>> >
>> has been asked by isabane on MifosConnect
>> Here are the links, which are having details with few missing answers on
>> important questions. Can we have updates on missing answers soon?, wherein
>> it explains how good is the security architecture of mifos/fineract
>> platform
>> - *
>> <
>> >*
>> -
>> *
>> <
>> >*
>> Thanks,
>> Sangamesh.N

*Ed Cable*
President/CEO, Mifos Initiative | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *
<>  <>

View raw message