Community mailing list archives

community@mail.odoo.com

Re: Crowd funding the Odoo Penetration Test

by
OpusVL, Stuart J Mackintosh
- 06/26/2015 11:51:40
Ondrej,

I am heading up this Indiegogo campaign and will publish Monday latest but all going well, before then, it would be really good to have you involved with the technical phase.

The fund raising will run through July and the audit is planned for August. If there are patches created, it makes sense to have these installed before the audit.

As you are just across the road from us, it may be worth while getting together mid July once we know how the fund-raising is progressing.

I am also interested to work with other partners who can add value to the project so can pick up conversations once the campaign is launched.


Best regards,

Stuart.

<blockquote cite="mid:558D4B4C.8030506@credativ.co.uk" type="cite">
Hi Nuria, community,

as someone who has reported several critical security issues in the
platform and just completed the first stage of a comprehensive audit of
the core Odoo codebase (and helping Odoo address any concerns raised
during this), I think I should chip in:

Yes, it is true that Odoo has not invested nearly enough time into
making its platform as secure as it should have done while marketing the
notion that the opposite is true. However, now that they are aware that
problems exist, things now seem to be changing and there is an
initiative to make amends and encourage best practices. That includes
having the source code audited.

Regarding the rest of the email, we too share the goal to increase
security and raise Odoo's profile and thus are in favor of a penetration
test to be done to gauge the state of the publicly accessible features
of the site, especially the CMS which is very young and constitutes
venturing into an unexplored territory for Odoo.

For anything else (particularly the modules you mention), a
comprehensive audit of the actual modules+core would be more appropriate
and are either already covered by the audit I have just completed or
planned for its future stages.

As a team of people who have deep understanding of Odoo and me
personally having spent the past five years evangelising good security
awareness and making various software and systems more secure, we
believe that we are in a better position to find issues that an
uninitiated auditor could miss.

Regardless of whether an external auditor will be taken on to the task,
we will carry on with the next phases of the audit we have already started.

If there is enough interest in the community to expedite this, we can
make sure this gets more resources committed to it and help make the
results available sooner.

Regards,
Ondrej Kuznik

-- 
Consultant
credativ Ltd
Suite 5, Bloxam Court
Corporation Street           UK office:  +44 1788 298150
Rugby                        Email:      ondrej.kuznik@credativ.co.uk
CV21 2DU                     Web:        http://www.credativ.co.uk
--
credativ Ltd is registered in England & Wales, company no. 5261743
Certified by CompTIA / AccredIT UK with the ICT Supply standard of
quality for Software Product Design and Development

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe



--

Stuart J Mackintosh

Director / Owner

<img alt="OpusVL Logo" src="cid:part1.06040706.05080403@opusvl.com" height="38" width="150">

Business management software - Joined-up, flexible & open

• Open Source Specialists

Drury House

Drury Lane

Rugby

CV21 3DE

T: 01788 298 450

DDI: 01788 298 457

E: sjm@opusvl.com

W: http://opusvl.com