Static Analysis of Apache Fineract Project- A GSOC project idea

Motivation:

As our product is core banking platform and our clients are financial institutions, we strive hard to make our code base as secure as possible. However, due to ever increasing security threats and vulnerabilities, it is the need of hour that we analyse our code base in depth for security vulnerabilities. During pull request merge process, we have a process in place wherein we do peer code review,QA and integration tests. This practice has been very effective and our community is already reaping the benefits of such a strong code review process. However, we should test our code against the standard vulnerabilities which have been identified by reputed organisations like Mitre to gain more confidence.

Tools and Standard Organisation:

Mitre has identified about 1005 vulnerabilities, popularly known as Common Weakness Enumeration (CWE). It is virtually impossible to design a complete secure system and total secure system is a myth. Also, there is no tool which detects all the vulnerabilities in the system and different tools give different results. A detailed study of the tools is carried out by National Institute of Standards and Technology (NIST).  

Although a total secure system is a myth, we should at least check for common software vulnerabilities which have been there for years like Mitre Top 25 software vulnerabilities and have been causing menace. We can make use of opensource tools like JlintFindbugsSonarQube or frameworks like  Total output Integration Framework (TOIF) - used by companies dedicated to produce military grade secure systems. 

A potential GSOC project:

It would be worthwhile, if we can dedicate one GSOC project for this analysis. The student would be responsible to analyse the findings, generate reports, identify if it is really a bug and then submit a fix after consultation from the community. Of course, the student needs to demonstrate some basic understanding of security vulnerabilities( like buffer overflow etc) and should have some academic level of experience working with static analysis tools.

I would invite communities comments and thoughts about this project idea. If community sees this as potential project, we should take it up as GSOC project, provided we find a qualified candidate.