Victor, Thanks for this suggestion. I have a request in for a free license from White Source.
Ed On Sat, Sep 29, 2018 at 9:50 PM Victor Manuel Romero Rodriguez < [email protected]> wrote: > Hello, > > We have used WhiteCode in the past. For open source projects is > available a free license. > > https://www.whitesourcesoftware.com/ > > I think is a more complete solution. > > Regards > > Victor > > > > El 20/09/18 a las 07:37, Lalit Mohan S escribió: > > I used Codacy (https://www.codacy.com/) for an open source project for > > performing static code analysis, I felt it was quite comprehensive. > > > > Also, we could explore a working relationship with Synopsys (coverity) > and > > has readiness for CIT > > > > regards > > Lalit > > > > On Thu, Sep 20, 2018 at 11:20 AM sangamesh n <[email protected]> > > wrote: > > > >> Many thanks, James and Ed for valuable inputs. > >> > >> Regards, > >> Sangamesh > >> > >> On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <[email protected]> wrote: > >> > >>> James, > >>> > >>> Once again thanks for taking the time to share your wisdom with the > group > >>> and carry the conversation forward. Please see my replies inline: > >>> > >>> > >>> > >>> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <[email protected]> > >>> wrote: > >>> > >>>> Hi Sangamesh - > >>>> > >>>> As a financial system of record Mifos was designed from the beginning > to > >>>> be secure on the basis of best practices in software architecture and > the > >>>> use of existing code libraries for security implementation. > Design-wise, > >>>> this would include having proper separation of roles, appropriate > >>>> granularity of permissions, work flow (maker checker authorization) > >>>> support, encrypted channels, runtime process isolation, audit logs, > and > >>>> secured databases. > >>>> > >>>> I'd like to raise some points related to your question: > >>>> 1) Any security framework is only as strong as the weakest link. A > >>>> database may be fully encrypted and secure but if the private > encryption > >>>> keys are broadcast in the clear (a very bad idea) then you've > undermined > >>>> the model. This has happened in closed-source mobile money > applications > >>>> run by reputable companies. > >>>> > https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf > >>>> > >>>> > >>>> 2) Open source provides a way to inspect and determine if best > practices > >>>> are being followed. One of the key issues with older security > frameworks > >>>> is that too many of them rely on "security through obscurity". Mifos > and > >>>> others invite inspection and bug reports. I believe several efforts > have > >>>> looked at this, but security is an ongoing effort/philosophy, not a > one > >>>> time thing. Still, I wonder if we can get a white hat security team to > >>>> review a deployment of Mifos apps + fineract. As fineract grows in > >>>> popularity (we hope and expect) this becomes more important. > >>>> > >>> Thanks to the Lalit, we actually recently had some of the usability and > >>> security researches at IDRBT do a static analysis of Mifos Mobile. I've > >>> attached the two reports that they recently completed in the last week. > >>> > >>> I also want point everyone to the static analysis and fixes that > Thisura > >>> did on Fineract 1.x as part of his 2017 GSOC program - > >>> > https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit > >>> > >>>> 3) While the code may be written in the right way, operational > >>>> deployment practices are often the primary way to ensure that > disparate > >>>> applications are able to be securely implemented. With the blending of > >>>> dev-ops into coding, this can be more controlled in the code, but at > the > >>>> end of the day so much of security comes down to thing like "has the > recent > >>>> server security patch been applied?" "has the VPN been implemented > >>>> properly?", "was the root user hard coded into the internal data > calls?", > >>>> "have the passwords and keys been changed and kept secure?". > >>>> > >>>> 4) We are not adequately tracking security issues in deployments. > There > >>>> are reasons why companies may not want to share this information, > but, I > >>>> believe we will need to establish a security reporting process where > known > >>>> Mifos or Fineract solution providers can report what they've learned > and > >>>> what actions they've had to take to fend off an attack. > >>>> > >>> Apache has a well-defined security vulnerabilities policy with a clear > >>> protocol <http://apache.org/security/committers.html>for confirming > and > >>> fixing any vulnerabilities that get reported to the Security team at > >>> Apache <http://apache.org/security/> by individuals. > >>> > >>>> 5) I believe that what is needed is a Guide for Securing Mifos > >>>> applications running in production. This could be a Guide that would > walk > >>>> through how to deploy and secure both the Apache fineract code and the > >>>> Mifos Apps that are released in production. The Security-Overview > wiki is > >>>> mostly aimed at that topic. > >>>> > >>>> So, I think the answers to the questions may involve looking at what > you > >>>> are trying to convey in those wiki pages. On the wiki page, can you > point > >>>> out where the questions exist more specifically? > >>>> > >>>> Second, if there are any security framework experts on this list, an > >>>> audit of the fineract and mifos apps, using automated security probing > >>>> tools (info sec tools like droidsqli on the android apps) would be a > useful > >>>> contribution, but perhaps we should have a secured test- instance for > that > >>>> first. It would tell us where we are at. Yes? > >>>> > >>> We had some previous individuals with good expertise who were more > >>> involved in the past. I'll try to get them re-engaged. > >>> > >>> > >>>> Thanks, > >>>> James > >>>> > >>>> > >>>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <[email protected]> > >>>> wrote: > >>>> > >>>>> Hello Dev, > >>>>> > >>>>> Below is a question which has been asked at > >>>>> http://mifos.cloud.answerhub.com > >>>>> *How secure is Mifos? i mean no one can attack me when i decided to > use > >>>>> Mifos as it is an OpenSource* > >>>>> < > >>>>> > http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html > >>>>> has been asked by isabane on MifosConnect > >>>>> > >>>>> Here are the links, which are having details with few missing > answers on > >>>>> important questions. Can we have updates on missing answers soon?, > >>>>> wherein > >>>>> it explains how good is the security architecture of mifos/fineract > >>>>> platform > >>>>> - * > >>>>> > https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview > >>>>> < > >>>>> > https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview > >>>>>> * > >>>>> - > >>>>> * > >>>>> > https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model > >>>>> < > >>>>> > https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model > >>>>>> * > >>>>> Thanks, > >>>>> Sangamesh.N > >>>>> > >>> -- > >>> *Ed Cable* > >>> President/CEO, Mifos Initiative > >>> [email protected] | Skype: edcable | Mobile: +1.484.477.8649 > >>> > >>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org > >>> <http://facebook.com/mifos> <http://www.twitter.com/mifos> > >>> > >>> Mifos-developer mailing list > >> [email protected] > >> Unsubscribe or change settings at: > >> https://lists.sourceforge.net/lists/listinfo/mifos-developer > > -- *Ed Cable* President/CEO, Mifos Initiative [email protected] | Skype: edcable | Mobile: +1.484.477.8649 *Collectively Creating a World of 3 Billion Maries | *http://mifos.org <http://facebook.com/mifos> <http://www.twitter.com/mifos>
