Devs - You can find our current security page at https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report
CONTEXT 1. The Apache Fineract project welcomes reports by security experts to identify issues - and applies a risk framework for reported issues. 2. Apache Fineract follows the framework for vulnerabilities called "DREAD" and works with the Apache security team for assignment of severity of vulnerability 3. DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome: Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 4. As Fineract is used in banking and financial services, where confidence in account transactions and validity of account information is a requirement, the potential for Damage is always high. 5. System integrators and deployment users should be aware that they should apply their own security practices on top of Fineract. 6. Fineract Code review <https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide>already includes two security related questions: Is the code free of code injection vulnerabilities? and Does the code adequately protect sensitive data such as passwords, user names, and financial information? and, to this we would add: Is the feature at least as secure as it was before this code change? ASKING FOR YOUR HELP 1. To assist with real world implementation, the Fineract Security Tip Sheet (wiki page) is a proposed set of "best practices" and we invite people with experience in these deployments to provide further information. To illustrate trivially, *https* with signed certificates should be used for all servers in production. 2. I now invite you to share your experiences and results of security practices. Have you used fineract in production and created a secure environment? Passed a security audit? Do you have a checklist? 3. If you wish to report a security vulnerability or to share privately your security approach, the email is [email protected]. (monitored by a few Committers in the project) Thank you for your contributions to the project. - James
