git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on - How secure is Mifos?


Many thanks, James and Ed for valuable inputs.

Regards,
Sangamesh

On Wed, Sep 19, 2018 at 11:21 PM Ed Cable <edcable@xxxxxxxxx> wrote:

> James,
>
> Once again thanks for taking the time to share your wisdom with the group
> and carry the conversation forward. Please see my replies inline:
>
>
>
> On Wed, Sep 19, 2018 at 10:18 AM James Dailey <jamespdailey@xxxxxxxxx>
> wrote:
>
>> Hi Sangamesh -
>>
>> As a financial system of record Mifos was designed from the beginning to
>> be secure on the basis of best practices in software architecture and the
>> use of existing code libraries for security implementation. Design-wise,
>> this would include having proper separation of roles, appropriate
>> granularity of permissions, work flow (maker checker authorization)
>> support, encrypted channels, runtime process isolation, audit logs, and
>> secured databases.
>>
>> I'd like to raise some points related to your question:
>> 1) Any security framework is only as strong as the weakest link.  A
>> database may be fully encrypted and secure but if the private encryption
>> keys are broadcast in the clear (a very bad idea) then you've undermined
>> the model.  This has happened in closed-source mobile money applications
>> run by reputable companies.
>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-reaves-mobile_0.pdf
>>
>>
>> 2) Open source provides a way to inspect and determine if best practices
>> are being followed.  One of the key issues with older security frameworks
>> is that too many of them rely on "security through obscurity". Mifos and
>> others invite inspection and bug reports.  I believe several efforts have
>> looked at this, but security is an ongoing effort/philosophy, not a one
>> time thing. Still, I wonder if we can get a white hat security team to
>> review a deployment of Mifos apps + fineract.  As fineract grows in
>> popularity (we hope and expect) this becomes more important.
>>
>
> Thanks to the Lalit, we actually recently had some of the usability and
> security researches at IDRBT do a static analysis of Mifos Mobile. I've
> attached the two reports that they recently completed in the last week.
>
> I also want point everyone to the static analysis and fixes that Thisura
> did on Fineract 1.x as part of his 2017 GSOC program -
> https://docs.google.com/document/d/1cBTgO1HBxznVzzT4INUszLXuWCh_FPT6b02m3rTJjHs/edit
>
>>
>> 3) While the code may be written in the right way, operational deployment
>> practices are often the primary way to ensure that disparate applications
>> are able to be securely implemented. With the blending of dev-ops into
>> coding, this can be more controlled in the code, but at the end of the day
>> so much of security comes down to thing like "has the recent server
>> security patch been applied?" "has the VPN been implemented properly?",
>> "was the root user hard coded into the internal data calls?",  "have the
>> passwords and keys been changed and kept secure?".
>>
>> 4) We are not adequately tracking security issues in deployments. There
>> are reasons why companies may not want to share this information, but, I
>> believe we will need to establish a security reporting process where known
>> Mifos or Fineract solution providers can report what they've learned and
>> what actions they've had to take to fend off an attack.
>>
>
> Apache has a well-defined security vulnerabilities policy  with a clear
> protocol <http://apache.org/security/committers.html>for confirming and
> fixing any vulnerabilities that get reported to the Security team at
> Apache <http://apache.org/security/> by individuals.
>
>>
>> 5) I believe that what is needed is a Guide for Securing Mifos
>> applications running in production. This could be a Guide that would walk
>> through how to deploy and secure both the Apache fineract code and the
>> Mifos Apps that are released in production.  The Security-Overview wiki is
>> mostly aimed at that topic.
>>
>> So, I think the answers to the questions may involve looking at what you
>> are trying to convey in those wiki pages. On the wiki page, can you point
>> out where the questions exist more specifically?
>>
>> Second, if there are any security framework experts on this list, an
>> audit of the fineract and mifos apps, using automated security probing
>> tools (info sec tools like droidsqli on the android apps) would be a useful
>> contribution, but perhaps we should have a secured test- instance for that
>> first. It would tell us where we are at. Yes?
>>
>
> We had some previous individuals with good expertise who were more
> involved in the past. I'll try to get them re-engaged.
>
>
>>
>> Thanks,
>> James
>>
>>
>> On Tue, Sep 18, 2018 at 3:47 AM sangamesh n <sangameshcfsl@xxxxxxxxx>
>> wrote:
>>
>>> Hello Dev,
>>>
>>> Below is a question which has been asked at
>>> http://mifos.cloud.answerhub.com
>>> *How secure is Mifos? i mean no one can attack me when i decided to use
>>> Mifos as it is an OpenSource*
>>> <
>>> http://mifos.cloud.answerhub.com/questions/3067/how-secure-is-mifos-i-mean-no-one-can-attack-me-wh.html
>>> >
>>> has been asked by isabane on MifosConnect
>>>
>>> Here are the links, which are having details with few missing answers on
>>> important questions. Can we have updates on missing answers soon?,
>>> wherein
>>> it explains how good is the security architecture of mifos/fineract
>>> platform
>>> - *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456731/Security+Overview
>>> >*
>>> -
>>> *
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> <
>>> https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456745/Threat+Model
>>> >*
>>>
>>> Thanks,
>>> Sangamesh.N
>>>
>>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@xxxxxxxxx | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>
>