Community mailing list archives

Re: Odoo security

Akretion, Raphael Valyi
- 07/27/2015 07:35:58
Hello folks,

my personal opinion may not make everybody happy, but I think it's counter productive: I think bundling the ERP and an ecommerce-website inside the same runtime is a dead end. Any breach (potentially due to a customization, an ERP needs a lot of customizations) can be exploited to hijack all your business data... Breaches are even more likely as an ERP as orders of magnitude more functional attack surface than an e-commerces or a website. Also, it goes against basic scalability principles were you would break services down into small services that you can scale independently according to the real needs. Here a process to serve a webpage will bring in RAM all the fat complex ERP logic and makes it a bad website engine...

Again, using a NoSQL datastore as we do at Akretion with Solr you can have the best of the two worlds: no risk of SQL integrity issues but different runtimes and reusing mature web technologies instead of re-inventing the wheel.

Not even talking again about the poor ecosystem of the whole thing: venture money inflated shiny website engine that may soon collapse under its own weight back at open source steady state. Look at history: many large companies tried to create open source web frameworks with way more serious engineering input, yet very few succeeded... Risky bet. It's not because nobody did a better open source ERP that the web framework/CMS will magically become sustainable...

So this is just my opinion, but a penny invested in that is not well invested IMHO. Now yes, I totally understand the concerns about security but I don't think an audit is the proper answer.

On Mon, Jul 27, 2015 at 7:53 AM, Fabien Bourgeois <> wrote:
Le 27/07/2015 12:06, Dave Ellison a écrit :
> From mainly a user, I have helped people put in Odoo, but not a
> partner. This is a good idea, however I think the goal is too high. It
> shouldn't cost 10k to do a full security audit. Perhaps that I am a
> little naive there.

I'm not a security expert but cost seems reasonable to me. 10k£ can 
appear to be high but according to the campaign page, only 40% of the 
amount will be dedicated to basic* auditing of important pieces whereas 
30% are for bug fixing and 20% to produce guides.

* full audit is for the 25k£ step and beyond

> Also, Odoo themselves only investing about £600 to what is their
> business and potentially improves their software and assurance to
> customers really shocks me.

I have the same opinion : Odoo SA seems to be in the process and 
supporting this campaign. As this topic is IMO very important for an 
enterprise software facing Internet as Odoo, I'm surprised to see this 
contribution (in relation to last year $10 millions funding).

Yaltik, libérez votre système informatique
Tél : /
Fax :
9 rue Gustave Nadaud, 69007 LYON

Post to:

Raphaël Valyi
Founder and consultant
+55 21 3942-2434