Community mailing list archives

community@mail.odoo.com

Re: Odoo: #SecureERP Odoo crowdfund update

by Anders Wallenquist <anders.wallenquist@kreawit.se> - 09/17/2015 08:13:28
Den 2015-09-15 kl. 15:52, skrev Maria Gabriela Fong:
<blockquote cite="mid:CAF2XgZ_Tx6f0cW2YN9ssXuMAm8ovCPQY_SHAiUHOgwTNtVVifw@mail.gmail.com" type="cite">
More than a Security Audit what Odoo needs is a structured process to curate code from module and core before allowing it to be available on the apps page.  

Also, there is a big need to structure a security group that revises all "alerts" of problems and announces in a timely manner this vulnerabilities to the creators of the module so it can be fixed on time.

A known Open Source code that has this level of maturity is Drupal.  I do not agree that all opensource CMS and teams do not have this level of attention and promptness to action.  At least not with Drupal, from which I could say is even more mature and transparent than many propietary software.

Any serious Drupal developer is educated on making sure the CMS is updatable always, following best practices.  And mind you, Drupal has a steep learning curve.

Maybe we can learn from the Drupal community and apply it on the Odoo community?

I think this a very good idea. It does not replace a security audit, but as said, security are an ongoing process best executed by a security team. I think the Drupal Security team work with random sample test, coding recommendations/best practice and CVE-watching alerting when they find problems rather than a needle's eye for every module to pass before publishing.

If the community for Odoo forms a security team, I think the way of working should be more of monitoring and advising than be a mandatory step in the publishing process. This is a better use of limited resources. Most modules depends of security arrangements comming by the framework, usually models.Model-class. A security audit will mostly find weaknesses that should be fixed there not in a specific module. Parts of the framework where the module are working with its own controller are more vulnerable (http.Controller) and will more often add vulnerability to the system. Just like modules that changes behaviour of authentication and likes. A security team that do "monitoring" can concentrate on possible vulnerable modules, do random checks of modules and systemtests without beeing a bootleneck. I think its easier to administer a distributed team by defining an amount of "monitoring" tasks. A core team can respond on tasks initiated by community and can be a single channel for security alerts.

I would gladly join a security team if there where any.

Regards,

Anders Wallenquist









 and should be built in with automated tests done
<blockquote cite="mid:CAF2XgZ_Tx6f0cW2YN9ssXuMAm8ovCPQY_SHAiUHOgwTNtVVifw@mail.gmail.com" type="cite">

Just my 2 cents.

On Sun, Sep 13, 2015 at 4:47 AM, Stuart J Mackintosh <sjm@opusvl.com> wrote:
Dear Odoo community,

Just a quick note to say I have made a couple of updates to the #SecureERP campaign, you can see them here:
https://www.indiegogo.com/projects/odoo-business-software-security-audit-secureerp--2#/updates

All the best,

Stuart.

--

Stuart J Mackintosh

Director / Owner

<img alt="OpusVL Logo" src="cid:part2.02010507.04010306@opusvl.com" height="38" width="150">

Business management software - Joined-up, flexible & open

• Open Source Specialists

Drury House

Drury Lane

Rugby

CV21 3DE

T: 01788 298 450

DDI: 01788 298 457

E: sjm@opusvl.com

W: http://opusvl.com



_______________________________________________
Mailing-List: Odoo Partners
Post to: partners@odoo.com
Unsubscribe: mailto:partners-request@openerp.com?subject=unsubscribe
Options: https://mailman.openerp.com/mailman/options/partners





--
Maria Gabriela Fong
Partner & Consultant
Cel: 6615.7718
MAGA Systems & Consulting

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe