git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on - How secure is Mifos?


James,

Once again thanks for taking the time to share your wisdom with the group and carry the conversation forward. Please see my replies inline:



On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@xxxxxxxxx> wrote:
Hi Sangamesh - 

As a financial system of record Mifos was designed from the beginning to be secure on the basis of best practices in software architecture and the use of existing code libraries for security implementation. Design-wise, this would include having proper separation of roles, appropriate granularity of permissions, work flow (maker checker authorization) support, encrypted channels, runtime process isolation, audit logs, and secured databases. 

I'd like to raise some points related to your question:  
1) Any security framework is only as strong as the weakest link.  A database may be fully encrypted and secure but if the private encryption keys are broadcast in the clear (a very bad idea) then you've undermined the model.  This has happened in closed-source mobile money applications run by reputable companies.  https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf 

2) Open source provides a way to inspect and determine if best practices are being followed.  One of the key issues with older security frameworks is that too many of them rely on "security through obscurity". Mifos and others invite inspection and bug reports.  I believe several efforts have looked at this, but security is an ongoing effort/philosophy, not a one time thing. Still, I wonder if we can get a white hat security team to review a deployment of Mifos apps + fineract.  As fineract grows in popularity (we hope and expect) this becomes more important. 

Thanks to the Lalit, we actually recently had some of the usability and security researches at IDRBT do a static analysis of Mifos Mobile. I've attached the two reports that they recently completed in the last week. 

I also want point everyone to the static analysis and fixes that Thisura did on Fineract 1.x as part of his 2017 GSOC program - https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit

3) While the code may be written in the right way, operational deployment practices are often the primary way to ensure that disparate applications are able to be securely implemented. With the blending of dev-ops into coding, this can be more controlled in the code, but at the end of the day so much of security comes down to thing like "has the recent server security patch been applied?" "has the VPN been implemented properly?", "was the root user hard coded into the internal data calls?",  "have the passwords and keys been changed and kept secure?".  

4) We are not adequately tracking security issues in deployments. There are reasons why companies may not want to share this information, but, I believe we will need to establish a security reporting process where known Mifos or Fineract solution providers can report what they've learned and what actions they've had to take to fend off an attack.

Apache has a well-defined security vulnerabilities policy  with a clear protocol for confirming and fixing any vulnerabilities that get reported to the Security team at Apache by individuals.  

5) I believe that what is needed is a Guide for Securing Mifos applications running in production. This could be a Guide that would walk through how to deploy and secure both the Apache fineract code and the Mifos Apps that are released in production.  The Security-Overview wiki is mostly aimed at that topic.  

So, I think the answers to the questions may involve looking at what you are trying to convey in those wiki pages. On the wiki page, can you point out where the questions exist more specifically?  

Second, if there are any security framework experts on this list, an audit of the fineract and mifos apps, using automated security probing tools (info sec tools like droidsqli on the android apps) would be a useful contribution, but perhaps we should have a secured test- instance for that first. It would tell us where we are at. Yes?  

We had some previous individuals with good expertise who were more involved in the past. I'll try to get them re-engaged.
 

Thanks, 
James 


On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@xxxxxxxxx> wrote:
Hello Dev,

Below is a question which has been asked at http://mifos.cloud.answerhub.com
*How secure is Mifos? i mean no one can attack me when i decided to use
Mifos as it is an OpenSource*
<http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html>
has been asked by isabane on MifosConnect

Here are the links, which are having details with few missing answers on
important questions. Can we have updates on missing answers soon?, wherein
it explains how good is the security architecture of mifos/fineract
platform
- *https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
<https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview>*
-
*https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
<https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model>*

Thanks,
Sangamesh.N


--
Ed Cable
President/CEO, Mifos Initiative
edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649

Collectively Creating a World of 3 Billion Maries | http://mifos.org  

Attachment: mifos_mobilebanking.docx
Description: MS-Word 2007 document

Attachment: Dynamic Mifos.docx
Description: MS-Word 2007 document