Community mailing list archives
Re: Crowd funding the Odoo Penetration Testby
I am heading up this Indiegogo campaign and will publish Monday latest but all going well, before then, it would be really good to have you involved with the technical phase.
The fund raising will run through July and the audit is planned for August. If there are patches created, it makes sense to have these installed before the audit.
As you are just across the road from us, it may be worth while getting together mid July once we know how the fund-raising is progressing.
I am also interested to work with other partners who can add value to the project so can pick up conversations once the campaign is launched.
Hi Nuria, community, as someone who has reported several critical security issues in the platform and just completed the first stage of a comprehensive audit of the core Odoo codebase (and helping Odoo address any concerns raised during this), I think I should chip in: Yes, it is true that Odoo has not invested nearly enough time into making its platform as secure as it should have done while marketing the notion that the opposite is true. However, now that they are aware that problems exist, things now seem to be changing and there is an initiative to make amends and encourage best practices. That includes having the source code audited. Regarding the rest of the email, we too share the goal to increase security and raise Odoo's profile and thus are in favor of a penetration test to be done to gauge the state of the publicly accessible features of the site, especially the CMS which is very young and constitutes venturing into an unexplored territory for Odoo. For anything else (particularly the modules you mention), a comprehensive audit of the actual modules+core would be more appropriate and are either already covered by the audit I have just completed or planned for its future stages. As a team of people who have deep understanding of Odoo and me personally having spent the past five years evangelising good security awareness and making various software and systems more secure, we believe that we are in a better position to find issues that an uninitiated auditor could miss. Regardless of whether an external auditor will be taken on to the task, we will carry on with the next phases of the audit we have already started. If there is enough interest in the community to expedite this, we can make sure this gets more resources committed to it and help make the results available sooner. Regards, Ondrej Kuznik -- Consultant credativ Ltd Suite 5, Bloxam Court Corporation Street UK office: +44 1788 298150 Rugby Email: firstname.lastname@example.org CV21 2DU Web: http://www.credativ.co.uk -- credativ Ltd is registered in England & Wales, company no. 5261743 Certified by CompTIA / AccredIT UK with the ICT Supply standard of quality for Software Product Design and Development
Stuart J Mackintosh
Director / Owner
<img alt="OpusVL Logo" src="cid:email@example.com" height="38" width="150">
Business management software - Joined-up, flexible & open
• Open Source Specialists
T: 01788 298 450
DDI: 01788 298 457