Sanyam Goel created FINCN-214:
---------------------------------
Summary: Static Analysis and Vulnerability Scanning of Apache
Fineract CN
Key: FINCN-214
URL: https://issues.apache.org/jira/browse/FINCN-214
Project: Fineract Cloud Native
Issue Type: Improvement
Reporter: Sanyam Goel
|*Overview & Objectives*
As our product is core banking platform and our clients are financial
institutions, we strive hard to make our code base as secure as possible.
However, due to ever increasing security threats and vulnerabilities, it is the
need of hour that we analyze our code base in depth for security
vulnerabilities. During pull request merge process, we have a process in place
wherein we do peer code review,QA and integration tests. This practice has been
very effective and our community is already reaping the benefits of such a
strong code review process. However, we should test our code against the
standard vulnerabilities which have been identified by reputed organisations
like [Mitre|https://www.mitre.org/] to gain more confidence. It has become a
critical part of independent and partner-led deployments|
|*Description*
We can make use of opensource tools like [Jlint|http://jlint.sourceforge.net/],
[Findbugs|http://findbugs.sourceforge.net/] ,
[SonarQube|https://www.sonarqube.org/] or frameworks like [Total output
Integration Framework
(TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by companies
dedicated to produce military grade secure systems. As our environments become
more containerized we can also utilize tools like:
[Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and
[Docker Bench for Security|https://github.com/docker/docker-bench-security]
It would be worthwhile, if we can dedicate one GSOC project for this analysis.
The student would be responsible to analyse the findings, generate reports,
identify if it is really a bug and then submit a fix after consultation from
the community. Of course, the student needs to demonstrate some basic
understanding of security vulnerabilities( like buffer overflow etc) and should
have some academic level of experience working with static analysis tools.
|
|*Helpful Skills*
*Java (Spring/JPA/Jersey), SQL , JavaScript , Git, Apache POI*|
|*Impact*
Improved security keeping the integrity and privacy of the underbank's
financial data intact.|
|[*Other Resources*
Static Analysis of Apache Fineract Project- A GSOC project
idea|https://mifosforge.jira.com/wiki/spaces/projects/pages/183063580/Static+Analysis+of+Apache+Fineract+Project-+A+GSOC+project+idea]|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
