Hello James, For Mifos/Fineract In the practice we use the Risk Assessment Control as part of the Risk Management.
There are different layers in Risk and also the level of impacts. Most of them are related to Identify: The Risks The Controls This is work that is done with the CISO (Chief Information Security Officer), which at least in Mexico is position required in the Financial Institution by the regulators. We create another matrix for setting the: Risk Category, Risk, Control, Action Plan (Project or Process) A quick example is visible here (Spanish version) https://docs.google.com/presentation/d/1R7GyEo-vReT0dTwBXi_lQVWYEoku9gmITzHb-uaE54M/edit?usp=sharing I am ccing Raul, who will help us to share this checklist (English version). It is important to mention that we used automated tools for gathering information (statically and dynamically) also the Financial Institutions can request to external parties to do these audits. Regards El mié, 6 oct 2021 a las 14:02, James Dailey (<[email protected]>) escribió: > Devs - > > You can find our current security page at > https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report > > > CONTEXT > > 1. The Apache Fineract project welcomes reports by security experts to > identify issues - and applies a risk framework for reported issues. > 2. Apache Fineract follows the framework for vulnerabilities called > "DREAD" and works with the Apache security team for assignment of severity > of vulnerability > 3. DREAD scores five categories, which are summed together and divided > by five, the result is a score from 0-10 where 0 indicates no impact and 10 > is the worst possible outcome: Risk = (DAMAGE + REPRODUCIBILITY + > EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 > 4. As Fineract is used in banking and financial services, where > confidence in account transactions and validity of account information is a > requirement, the potential for Damage is always high. > 5. System integrators and deployment users should be aware that they > should apply their own security practices on top of Fineract. > 6. Fineract Code review > > <https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide>already > includes two security related questions: Is the code free of code > injection vulnerabilities? and Does the code adequately protect > sensitive data such as passwords, user names, and financial information? > and, to this we would add: Is the feature at least as secure as it was > before this code change? > > ASKING FOR YOUR HELP > > 1. To assist with real world implementation, the Fineract Security Tip > Sheet (wiki page) is a proposed set of "best practices" and we invite > people with experience in these deployments to provide further information. > To illustrate trivially, *https* with signed certificates should be > used for all servers in production. > 2. I now invite you to share your experiences and results of security > practices. Have you used fineract in production and created a secure > environment? Passed a security audit? Do you have a checklist? > 3. If you wish to report a security vulnerability or to share > privately your security approach, the email is > [email protected]. (monitored by a few Committers in the > project) > > > Thank you for your contributions to the project. > > - James >
