Uploaded image for project: 'Fineract Cloud Native'
  1. Fineract Cloud Native
  2. FINCN-214

Static Analysis and Vulnerability Scanning of Apache Fineract CN



    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: None
    • Labels:


      Overview & Objectives
      As our product is core banking platform and our clients are financial institutions, we strive hard to make our code base as secure as possible. However, due to ever increasing security threats and vulnerabilities, it is the need of hour that we analyze our code base in depth for security vulnerabilities. During pull request merge process, we have a process in place wherein we do peer code review,QA and integration tests. This practice has been very effective and our community is already reaping the benefits of such a strong code review process. However, we should test our code against the standard vulnerabilities which have been identified by reputed organisations like Mitre to gain more confidence. It has become a critical part of independent and partner-led deployments
      We can make use of opensource tools like JlintFindbugs , SonarQube or frameworks like  Total output Integration Framework (TOIF) - used by companies dedicated to produce military grade secure systems. As our environments become more containerized we can also utilize tools like: AnchoreSnyk.io, and Docker Bench for Security
      It would be worthwhile, if we can dedicate one GSOC project for this analysis. The student would be responsible to analyse the findings, generate reports, identify if it is really a bug and then submit a fix after consultation from the community. Of course, the student needs to demonstrate some basic understanding of security vulnerabilities( like buffer overflow etc) and should have some academic level of experience working with static analysis tools.
      Helpful Skills
      Java (Spring/JPA/Jersey), SQL , JavaScript , Git, Apache POI
      Improved security keeping the integrity and privacy of the underbank's financial data intact.
      [Other Resources
      Static Analysis of Apache Fineract Project- A GSOC project idea




            • Assignee:
              sanyam96 Sanyam Goel
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: