Many thanks, James and Ed for valuable inputs. Regards, Sangamesh
On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <edca...@mifos.org> wrote: > James, > > Once again thanks for taking the time to share your wisdom with the group > and carry the conversation forward. Please see my replies inline: > > > > On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdai...@gmail.com> > wrote: > >> Hi Sangamesh - >> >> As a financial system of record Mifos was designed from the beginning to >> be secure on the basis of best practices in software architecture and the >> use of existing code libraries for security implementation. Design-wise, >> this would include having proper separation of roles, appropriate >> granularity of permissions, work flow (maker checker authorization) >> support, encrypted channels, runtime process isolation, audit logs, and >> secured databases. >> >> I'd like to raise some points related to your question: >> 1) Any security framework is only as strong as the weakest link. A >> database may be fully encrypted and secure but if the private encryption >> keys are broadcast in the clear (a very bad idea) then you've undermined >> the model. This has happened in closed-source mobile money applications >> run by reputable companies. >> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf >> >> >> 2) Open source provides a way to inspect and determine if best practices >> are being followed. One of the key issues with older security frameworks >> is that too many of them rely on "security through obscurity". Mifos and >> others invite inspection and bug reports. I believe several efforts have >> looked at this, but security is an ongoing effort/philosophy, not a one >> time thing. Still, I wonder if we can get a white hat security team to >> review a deployment of Mifos apps + fineract. As fineract grows in >> popularity (we hope and expect) this becomes more important. >> > > Thanks to the Lalit, we actually recently had some of the usability and > security researches at IDRBT do a static analysis of Mifos Mobile. I've > attached the two reports that they recently completed in the last week. > > I also want point everyone to the static analysis and fixes that Thisura > did on Fineract 1.x as part of his 2017 GSOC program - > https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit > >> >> 3) While the code may be written in the right way, operational deployment >> practices are often the primary way to ensure that disparate applications >> are able to be securely implemented. With the blending of dev-ops into >> coding, this can be more controlled in the code, but at the end of the day >> so much of security comes down to thing like "has the recent server >> security patch been applied?" "has the VPN been implemented properly?", >> "was the root user hard coded into the internal data calls?", "have the >> passwords and keys been changed and kept secure?". >> >> 4) We are not adequately tracking security issues in deployments. There >> are reasons why companies may not want to share this information, but, I >> believe we will need to establish a security reporting process where known >> Mifos or Fineract solution providers can report what they've learned and >> what actions they've had to take to fend off an attack. >> > > Apache has a well-defined security vulnerabilities policy with a clear > protocol <http://apache.org/security/committers.html>for confirming and > fixing any vulnerabilities that get reported to the Security team at > Apache <http://apache.org/security/> by individuals. > >> >> 5) I believe that what is needed is a Guide for Securing Mifos >> applications running in production. This could be a Guide that would walk >> through how to deploy and secure both the Apache fineract code and the >> Mifos Apps that are released in production. The Security-Overview wiki is >> mostly aimed at that topic. >> >> So, I think the answers to the questions may involve looking at what you >> are trying to convey in those wiki pages. On the wiki page, can you point >> out where the questions exist more specifically? >> >> Second, if there are any security framework experts on this list, an >> audit of the fineract and mifos apps, using automated security probing >> tools (info sec tools like droidsqli on the android apps) would be a useful >> contribution, but perhaps we should have a secured test- instance for that >> first. It would tell us where we are at. Yes? >> > > We had some previous individuals with good expertise who were more > involved in the past. I'll try to get them re-engaged. > > >> >> Thanks, >> James >> >> >> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshc...@gmail.com> >> wrote: >> >>> Hello Dev, >>> >>> Below is a question which has been asked at >>> http://mifos.cloud.answerhub.com >>> *How secure is Mifos? i mean no one can attack me when i decided to use >>> Mifos as it is an OpenSource* >>> < >>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html >>> > >>> has been asked by isabane on MifosConnect >>> >>> Here are the links, which are having details with few missing answers on >>> important questions. Can we have updates on missing answers soon?, >>> wherein >>> it explains how good is the security architecture of mifos/fineract >>> platform >>> - * >>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview >>> < >>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview >>> >* >>> - >>> * >>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model >>> < >>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model >>> >* >>> >>> Thanks, >>> Sangamesh.N >>> >> > > -- > *Ed Cable* > President/CEO, Mifos Initiative > edca...@mifos.org | Skype: edcable | Mobile: +1.484.477.8649 > > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org > <http://facebook.com/mifos> <http://www.twitter.com/mifos> > >
_______________________________________________ Mifos-users mailing list Mifos-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mifos-users
