Rahul Goel created FINERACT-1580:
------------------------------------
Summary: Fix Critical Vulnerabilities from Static Analysis and
Vulnerability Scanning of Apache Fineract 1.x
Key: FINERACT-1580
URL: https://issues.apache.org/jira/browse/FINERACT-1580
Project: Apache Fineract
Issue Type: Improvement
Reporter: Rahul Goel
As our product is core banking platform and our clients are financial
institutions, we strive hard to make our code base as secure as possible.
However, due to ever increasing security threats and vulnerabilities, it is the
need of hour that we analyze our code base in depth for security
vulnerabilities. During pull request merge process, we have a process in place
wherein we do peer code review,QA and integration tests. This practice has been
very effective and our community is already reaping the benefits of such a
strong code review process. However, we should test our code against the
standard vulnerabilities which have been identified by reputed organisations
like [Mitre|https://www.mitre.org/] to gain more confidence. It has become a
critical part of independent and partner-led deployments
We can make use of opensource tools like [Jlint|http://jlint.sourceforge.net/],
[Findbugs|http://findbugs.sourceforge.net/] ,
[SonarQube|https://www.sonarqube.org/] or frameworks like [Total output
Integration Framework
(TOIF)|http://kdmanalytics.com/resources/open-source-toif/] - used by companies
dedicated to produce military grade secure systems. As our environments become
more containerized we can also utilize tools like:
[Anchore|https://anchore.com/opensource/], [Snyk.io|https://snyk.io/], and
[Docker Bench for Security|https://github.com/docker/docker-bench-security]
It would be worthwhile, if we can dedicate one GSOC project for this analysis
and fixing of critical vulnerabilities and actual bugs. The student would be
responsible to analyse the findings, generate reports, identify if it is really
a bug and then submit a fix after consultation from the community. Of course,
the student needs to demonstrate some basic understanding of security
vulnerabilities( like buffer overflow etc) and should have some academic level
of experience working with static analysis tools.
Prioritization of Focus would be on:
* Vulnerabilities, Hotspots, Bugs, and Code Smells in that order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
