Community mailing list archives

community@mail.odoo.com

Re: Odoo: #SecureERP Odoo crowdfund update

by
Credativ, Ondrej Kuznik
- 09/17/2015 09:26:42
On 17/09/15 13:19, Anders Wallenquist wrote:
> Den 2015-09-15 kl. 15:52, skrev Maria Gabriela Fong:
> More than a Security Audit what Odoo needs is a structured process to
> curate code from module and core before allowing it to be available on
> the apps page.

Anders,
I agree with you, up to a point.

The first step towards that is getting core in a good shape. After all,
that is used by everyone everywhere and weeding out security issues
lurking there should be our highest priority.

> Also, there is a big need to structure a security group that revises all
> "alerts" of problems and announces in a timely manner this
> vulnerabilities to the creators of the module so it can be fixed on time.

This would IMHO be the next step, such a group could be assembled under
the OCA banner and over time:
* crawl through the OCA addons making sure they are up to scratch
* research potential security considerations that might have gone
unaddressed so far and work with Odoo to review/advise on any issues
that come up

While it might seem like a drawback to limit the official scope of such
a group to OCA addons only, it makes it easy to check what is covered.
Side-effect of which might be another selling point for partners to join
OCA efforts and combat the fragmentation of the wider community that is
now and improve the overall quality of everyone's addons.

> A known Open Source code that has this level of maturity is Drupal.  I
> do not agree that all opensource CMS and teams do not have this level of
> attention and promptness to action.  At least not with Drupal, from
> which I could say is even more mature and transparent than many
> propietary software.
> 
> Any serious Drupal developer is educated on making sure the CMS is
> updatable always, following best practices.  And mind you, Drupal has a
> steep learning curve.
> 
> Maybe we can learn from the Drupal community and apply it on the Odoo
> community?

I think we are slowly getting there with the developer documentation and
API changes that have been happening in the past year, it just takes
some time for everyone to accept it. I agree that there is still work to
be done on that front.

> I think this a very good idea. It does not replace a security audit, but
> as said, security are an ongoing process best executed by a security
> team. I think the Drupal Security team work with random sample test,
> coding recommendations/best practice and CVE-watching alerting when they
> find problems rather than a needle's eye for every module to pass before
> publishing.
> 
> If the community for Odoo forms a security team, I think the way of
> working should be more of monitoring and advising than be a mandatory
> step in the publishing process. 

If you talk about the publishing process for the "app store", that is
entirely under the control of Odoo S.A. and I doubt they will let anyone
in, especially since reviewing any proprietary modules would require an
NDA. Also consider that very few would be willing to sign an NDA like
this just to offer a non-paid help to a proprietary competitor.

If you talk about the OCA module onboarding, that would be a good idea
in the long run. In the short run the lack of regular reviewers would
make getting new code accepted even harder that it is, essentially
undermining the OCA's efforts.

> This is a better use of limited
> resources. Most modules depends of security arrangements comming by the
> framework, usually models.Model-class. A security audit will mostly find
> weaknesses that should be fixed there not in a specific module. Parts of
> the framework where the module are working with its own controller are
> more vulnerable (http.Controller) and will more often add vulnerability
> to the system. Just like modules that changes behaviour of
> authentication and likes. A security team that do "monitoring" can
> concentrate on possible vulnerable modules, do random checks of modules
> and systemtests without beeing a bootleneck. I think its easier to
> administer a distributed team by defining an amount of "monitoring"
> tasks. A core team can respond on tasks initiated by community and can
> be a single channel for security alerts.
> 
> I would gladly join a security team if there where any.

I have been pondering setting up an secure mailing list dedicated for
such a community, if we find enough people dedicated to the cause, I
will. I take this you would be interested in this.

Would there be any others or is there such a group already? If so, speak
up here or contact me off-list and we can see what kind of manpower we'd
have to make a difference.

Cheers,
Ondrej

-- 
Consultant
credativ Ltd
Suite 5, Bloxam Court
Corporation Street           UK office:  +44 1788 298150
Rugby                        Email:      ondrej.kuznik@credativ.co.uk
CV21 2DU                     Web:        http://www.credativ.co.uk
--
credativ Ltd is registered in England & Wales, company no. 5261743
Certified by CompTIA / AccredIT UK with the ICT Supply standard of
quality for Software Product Design and Development