[
https://issues.apache.org/jira/browse/FINCN-214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17113141#comment-17113141
]
Michael Vorburger commented on FINCN-214:
-----------------------------------------
FINERACT-712 and my comments from today on some of the tools listed above may
interest you in this context.
> Static Analysis and Vulnerability Scanning of Apache Fineract CN
> -----------------------------------------------------------------
>
> Key: FINCN-214
> URL: https://issues.apache.org/jira/browse/FINCN-214
> Project: Fineract Cloud Native
> Issue Type: Improvement
> Reporter: Sanyam Goel
> Priority: Major
> Labels: gsoc, gsoc2020
>
> |*Overview & Objectives*
> As our product is core banking platform and our clients are financial
> institutions, we strive hard to make our code base as secure as possible.
> However, due to ever increasing security threats and vulnerabilities, it is
> the need of hour that we analyze our code base in depth for security
> vulnerabilities. During pull request merge process, we have a process in
> place wherein we do peer code review,QA and integration tests. This practice
> has been very effective and our community is already reaping the benefits of
> such a strong code review process. However, we should test our code against
> the standard vulnerabilities which have been identified by reputed
> organisations like [Mitre|https://www.mitre.org/] to gain more confidence. It
> has become a critical part of independent and partner-led deployments|
> |*Description*
> We can make use of opensource tools like
> [Jlint|http://jlint.sourceforge.net/],
> [Findbugs|http://findbugs.sourceforge.net/] ,
> [SonarQube|https://www.sonarqube.org/] or frameworks like [Total output
> Integration Framework
> (TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by
> companies dedicated to produce military grade secure systems. As our
> environments become more containerized we can also utilize tools like:
> [Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and
> [Docker Bench for Security|https://github.com/docker/docker-bench-security]
> It would be worthwhile, if we can dedicate one GSOC project for this
> analysis. The student would be responsible to analyse the findings, generate
> reports, identify if it is really a bug and then submit a fix after
> consultation from the community. Of course, the student needs to demonstrate
> some basic understanding of security vulnerabilities( like buffer overflow
> etc) and should have some academic level of experience working with static
> analysis tools.
> |
> |*Helpful Skills*
> *Java (Spring/JPA/Jersey), SQL , JavaScript , Git, Apache POI*|
> |*Impact*
> Improved security keeping the integrity and privacy of the underbank's
> financial data intact.|
> |[*Other Resources*
> Static Analysis of Apache Fineract Project- A GSOC project
> idea|https://mifosforge.jira.com/wiki/spaces/projects/pages/183063580/Static+Analysis+of+Apache+Fineract+Project-+A+GSOC+project+idea]|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
