Community mailing list archives

community@mail.odoo.com

Re: Crowd funding the Odoo Penetration Test

by
OpusVL, Nuria Arranz-Velazquez
- 06/26/2015 09:14:38
I think that's brilliant Ondrej, please do continue with the good work.

+1

On 26/06/15 13:57, Ondrej Kuznik wrote:
> Hi Nuria, community,
>
> as someone who has reported several critical security issues in the
> platform and just completed the first stage of a comprehensive audit of
> the core Odoo codebase (and helping Odoo address any concerns raised
> during this), I think I should chip in:
>
> Yes, it is true that Odoo has not invested nearly enough time into
> making its platform as secure as it should have done while marketing the
> notion that the opposite is true. However, now that they are aware that
> problems exist, things now seem to be changing and there is an
> initiative to make amends and encourage best practices. That includes
> having the source code audited.
>
> Regarding the rest of the email, we too share the goal to increase
> security and raise Odoo's profile and thus are in favor of a penetration
> test to be done to gauge the state of the publicly accessible features
> of the site, especially the CMS which is very young and constitutes
> venturing into an unexplored territory for Odoo.
>
> For anything else (particularly the modules you mention), a
> comprehensive audit of the actual modules+core would be more appropriate
> and are either already covered by the audit I have just completed or
> planned for its future stages.
>
> As a team of people who have deep understanding of Odoo and me
> personally having spent the past five years evangelising good security
> awareness and making various software and systems more secure, we
> believe that we are in a better position to find issues that an
> uninitiated auditor could miss.
>
> Regardless of whether an external auditor will be taken on to the task,
> we will carry on with the next phases of the audit we have already started.
>
> If there is enough interest in the community to expedite this, we can
> make sure this gets more resources committed to it and help make the
> results available sooner.
>
> Regards,
> Ondrej Kuznik
>
> -- 
> Consultant
> credativ Ltd
> Suite 5, Bloxam Court
> Corporation Street           UK office:  +44 1788 298150
> Rugby                        Email:      ondrej.kuznik@credativ.co.uk
> CV21 2DU                     Web:        http://www.credativ.co.uk
> --
> credativ Ltd is registered in England & Wales, company no. 5261743
> Certified by CompTIA / AccredIT UK with the ICT Supply standard of
> quality for Software Product Design and Development
>
> _______________________________________________
> Mailing-List: https://www.odoo.com/groups/community-59
> Post to: mailto:community@mail.odoo.com
> Unsubscribe: https://www.odoo.com/groups?unsubscribe
>


-- 
N. Arranz-Velazquez
OpusVL Odoo Specialist Team (OOST)
Product Owner

OpusVL
Drury House
Drury Lane
Rugby
CV21 3DE

T: 01788 298 450
W: www.opusvl.com