Community mailing list archives
Re: Odoo: #SecureERP Odoo crowdfund updateby Anders Wallenquist <email@example.com> - 09/17/2015 08:13:28
I think this a very good idea. It does not replace a security audit, but as said, security are an ongoing process best executed by a security team. I think the Drupal Security team work with random sample test, coding recommendations/best practice and CVE-watching alerting when they find problems rather than a needle's eye for every module to pass before publishing.
If the community for Odoo forms a security team, I think the way of working should be more of monitoring and advising than be a mandatory step in the publishing process. This is a better use of limited resources. Most modules depends of security arrangements comming by the framework, usually models.Model-class. A security audit will mostly find weaknesses that should be fixed there not in a specific module. Parts of the framework where the module are working with its own controller are more vulnerable (http.Controller) and will more often add vulnerability to the system. Just like modules that changes behaviour of authentication and likes. A security team that do "monitoring" can concentrate on possible vulnerable modules, do random checks of modules and systemtests without beeing a bootleneck. I think its easier to administer a distributed team by defining an amount of "monitoring" tasks. A core team can respond on tasks initiated by community and can be a single channel for security alerts.
I would gladly join a security team if there where any.
and should be built in with automated tests done
<blockquote cite="mid:CAF2XgZ_Tx6f0cW2YN9ssXuMAm8ovCPQY_SHAiUHOgwTNtVVifw@mail.gmail.com" type="cite">
Dear Odoo community,
Just a quick note to say I have made a couple of updates to the #SecureERP campaign, you can see them here:
All the best,
Stuart J Mackintosh
Director / Owner
<img alt="OpusVL Logo" src="cid:firstname.lastname@example.org" height="38" width="150">
Business management software - Joined-up, flexible & open
• Open Source Specialists
T: 01788 298 450
DDI: 01788 298 457
Mailing-List: Odoo Partners
Post to: email@example.com
Partner & Consultant
MAGA Systems & Consulting