As with any feature-rich and connected software, Odoo has it's security flaws, and we have found a few. Our team have discovered a handful of issues with varying impact from discomfort at one end of the scale, to risk of data theft by a rogue user at the other end.

However, Odoo seems promising, a quick search on google for ERP vulnerabilities will show that there are issues across the industry, and the ICO is reporting a sustained level of registered breaches despite increased profile of the issues and investments in systems.

Scope of risk

If business systems and website are fully separated, with periodic or off-line data synchronisation, the scope of risk is reduced, however, customer, product and order data are still at the front line and need to be secure. The downside with this set-up is that it may require human input with information manually entered, complex intermediary systems and lack of real-time data. For the modern business, this is not convenient.

Image showing scale between security and convenience Every business needs to find their least uncomfortable position when striking the balance between convenience and security. It is an age-old problem; make it easy for everyone, including those with malicious intent, or making everyone suffer because of a few. History tells us that the winner is the one who optimises convenience and (due to luck or judgement) does not fall victim to hostile forces.

This may sound scary, but when you connect your business system to the outside world, the scope of risk now includes your balance sheet and P&L, employee data, bank and cash details and other private information. Having said this, you could already have this weakness due to poorly implemented networking infrastructure.

Solutions

Traditionally, when we have created cloud-based business applications, we have used various mechanisms to keep them secure. An example is the use of client side certificates, preventing anyone from accessing a web based system without a valid web browser certificate installed, and the certificate can only be issued by the administrator. They can be revoked if a computer is compromised, and are supplemented with user names and passwords. However, they are often unsuitable for smaller projects as quite a bit of effort is needed to set them up and maintain issuing and revoking of certificates.

If the service is to be accessed from pre-defined locations, VPN's can be used to access internal applications from known sites, say your office or home. Even routers, desk and VoIP phones normally have built-in VPN software so these are becoming easier to reliably implement.

Web servers can be locked down to only allow access certain URL's from certain locations, and matched with monitoring applications, can pre-warn if a visitor starts to behave in an out-of-the-ordinary way.

These mitigate many issues, but still do not address the core fact that if the software has a design flaw, you want to find out about it before some one less responsible does.

What about Odoo?

Diagram of Odoo MVC data modelThe inherent "Data Model" mechanisms of the Model-View-Controller (MVC) method used within Odoo lessens the chances of a problem, and also reduces the time to detect and resolve. However, if a mistake is made in one place, it can be exposed in many others. It is a technique used by Odoo as well as most modern Open Source web-based frameworks, including our Flexibase products and improves security options and flexibility.

An important distinction should be made that almost all legacy ERP implementations use the direct database approach. Whilst being fast, it does not introduce the layers of security and control required to make an application secure, especially when 3rd party code is used to extend the core system. This alone makes a traditional ERP system almost impossible to secure

With Odoo, a developer can use the pre-existing Data Models in most cases, therefore creating code with less effort and re-using the existing components and security best practice.

The Data Models

The "Data Model" is a principle, not actual software. The methodology can be applied in many ways, revolving around a key principle, that is to not directly access the database, but use a "Data Model" interface which abstracts the actual data store from the application. This Model can join different data sources together - even remote data, introduce security, constraints, auditing and many other features. This does have an impact on performance, but with a well designed application and database schema, performance should be of no concern on modern computers even with large data sets accessed by hundreds of concurrent users.

The Open Source approach naturally seeks out the best practice, and makes it open so others can implement.

I have no doubt that if the principles above were created by a proprietary software company or had a software patent applied, it would remove it from the reaches of most developers.

What we found inside Odoo

For our initial assessment, we focussed on the base system as the potential for Odoo is vast. We did expand the search to some popular modules. Our developers spend a lot of time with the Odoo code every week, so it was not hard for them to think of areas of code that could be at risk and investigate further. Sure enough, we were quickly able to find some problems.

The first issue discovered allows an administrator to access the underlying server, the second allows a user to access another user's data after having brief physical access to the first user's computer and a third where hostile code can be saved in to a form field and executed when another user views it.

Odoo validated the problems within a couple of days and after detailed discussions, a patch was released to enterprise customers and partners. A public release with full details has been released on the Odoo code repository and announcements to the community mailing lists.

Summary

Odoo is not immune from security vulnerabilities, equally, Open Source is not a magic bullet. However, both have significant advantages over proprietary software to both reduce and resolve issues as they arise.

OpusVL made the decision to develop enterprise solutions based on Open Source and Odoo for many reasons, the security benefits of the odoo approach were a major factor.

Posted by Stuart J Mackintosh on 24/06/2015