Details
Minor Description
As our product is core banking platform and our clients are financial institutions, we strive hard to make our code base as secure as possible. However, due to ever increasing security threats and vulnerabilities, it is the need of hour that we analyze our code base in depth for security vulnerabilities. During pull request merge process, we have a process in place wherein we do peer code review,QA and integration tests. This practice has been very effective and our community is already reaping the benefits of such a strong code review process. However, we should test our code against the standard vulnerabilities which have been identified by reputed organisations like Mitre to gain more confidence. It has become a critical part of independent and partner-led deployments
We can make use of opensource tools like Jlint, Findbugs , SonarQube or frameworks like Total output Integration Framework (TOIF) - used by companies dedicated to produce military grade secure systems. As our environments become more containerized we can also utilize tools like: Anchore, Snyk.io, and Docker Bench for Security
It would be worthwhile, if we can dedicate one GSOC project for this analysis and fixing of critical vulnerabilities and actual bugs. The student would be responsible to analyse the findings, generate reports, identify if it is really a bug and then submit a fix after consultation from the community. Of course, the student needs to demonstrate some basic understanding of security vulnerabilities( like buffer overflow etc) and should have some academic level of experience working with static analysis tools.
Prioritization of Focus would be on:
- Vulnerabilities, Hotspots, Bugs, and Code Smells in that order.