Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. In this context, the security of business and personal data becomes more important every day.
This talk will first discuss the Odoo Security model, and how it is evolving with every new release, in particular with Odoo 11, in order to tighten up security by default, and encourage best practices.
The second part will highlight some of the most common coding mistakes uncovered over the years in Odoo code, and how they can be avoided by following best practices.
11. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
12. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
13. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
14. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
15. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
16. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
17. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control
18. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control
CSRF protection for forms
19. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control
CSRF protection for forms
Reduced sets of deps.
31. GOAL.MISTAKE #1: using eval to parse text
There are smarter and safer ways to parse literals
Language Data type Suitable parser
Python int, float, etc. int(), float()
Javascript int, float, etc. parseInt(), parseFloat()
Python dict json.loads(), ast.literal_eval()
Javascript object JSON.parse()
... ... ...
32. GOAL.MISTAKE #1: using eval to parse text
And when you must
eval(), be doubly careful
Custom piece
of logic
Parametrized
rendering
User-
provided
data
Worried developer
37. MISTAKE #4: careless sudo usage
Keep the sudo scope as limited
as possible
Review 2x all calls done as
super-user, watch out for leaked
objects and side-effects
38. And there's more...
Other examples and explanations
in "Top 10 rules" talk from Odoo
Experience 2016.
https://www.odoo.com/r/h3s
39. TAKEAWAYS.
The framework tries to protect you from harm...
as long as you don’t bypass the protections!
And it's improving year after year…
Get in touch with us whenever you have security
questions… security@odoo.com