SlideShare a Scribd company logo

Safer Odoo Code [Odoo Experience 2017]

O
Olivier Dony

Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. In this context, the security of business and personal data becomes more important every day. This talk will first discuss the Odoo Security model, and how it is evolving with every new release, in particular with Odoo 11, in order to tighten up security by default, and encourage best practices. The second part will highlight some of the most common coding mistakes uncovered over the years in Odoo code, and how they can be avoided by following best practices.

Software
1 of 40
Download to read offline
SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com - @odony 2017 EXPERIENCE and the pursuit thereof...
GOALS. 1. Word about our security team 2. Framework security features 3. Evolutions 4. Recap of common mistakes
GOAL. A word about the Odoo security team
MISSIONS Single point of contact - security@odoo.com Priority answer (~24h) Disclosure process & policy odoo.com/security-report Questions, audit reviews, bugs,... Internal reviews (transversal) Raising awareness Security Advisories (CVEs)
Launch Year after year...
150+ TICKETS Self-XSS FALSEPOSITIVE DKIM/DMARC Policy SSL modulus Version discl. Unexploitable XSS XSS Broken authentication Code Exec. REALTHREAT Phishing Path discl. Audit review This year...
The visible parts of the iceberg
Our heroes...
GOAL. Framework security features
THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACL Rules ODOO APPS
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms Reduced sets of deps.
GOAL. Highlight framework security-related evolutions
Extra security logs
HTTP-only session cookies
Encrypted master password* *hashed, of course (PBKDF2-SHA512)
Database manager can be deactivated RPC calls blocked too! --no-database-list will now block access to database management screens
Encrypted database connections (tcp) SSL mode Eavesdrop MITM disable / / allow ? / prefer ? / require OK / verify-ca OK ~OK verify-full OK OK
No more Pickle! Welcome JSON!
Restricted system parameters Admin-only access!
Hardened access rights on internal data Odoo 10 Odoo 11
GOAL. Recap of common coding mistakes
GOAL.MISTAKE #1: using eval to parse text It breaks the barrier between code and data
GOAL.MISTAKE #1: using eval to parse text There are smarter and safer ways to parse literals Language Data type Suitable parser Python int, float, etc. int(), float() Javascript int, float, etc. parseInt(), parseFloat() Python dict json.loads(), ast.literal_eval() Javascript object JSON.parse() ... ... ...
GOAL.MISTAKE #1: using eval to parse text And when you must eval(), be doubly careful Custom piece of logic Parametrized rendering User- provided data Worried developer
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Nope, you can’t do that
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Separate code vs parameters
GOAL.MISTAKE #3: XSS vectors t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“ YES! ☺ NO! 😠 MAYBE… ☹ t-field=”task.name“ <span t-field=”task.name” t-attf-class=”o_task_{{task.state}}“ /> task_cls = ‘o_task_%s‘ % task.state task = ‘<span class=”%s”/>%s’ % ( task_cls, task.name ) ... <span t-raw=”task“/> task_cls = ‘o_task_%s‘ % escape(task.state) task = ‘<span class=”%s”/>%s’ % ( task_cls, escape(task.name) ) ... <span t-raw=”task“/>
MISTAKE #4: careless sudo usage Keep the sudo scope as limited as possible Review 2x all calls done as super-user, watch out for leaked objects and side-effects
And there's more... Other examples and explanations in "Top 10 rules" talk from Odoo Experience 2016. https://www.odoo.com/r/h3s
TAKEAWAYS. The framework tries to protect you from harm... as long as you don’t bypass the protections! And it's improving year after year… Get in touch with us whenever you have security questions… security@odoo.com
SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com 2017 EXPERIENCE and the pursuit thereof... Photos credits: https://www.flickr.com/photos/steve_rider/ https://www.flickr.com/photos/ericprunier/ https://www.flickr.com/photos/jezbags/ https://www.flickr.com/photos/150472095@N05/ https://www.flickr.com/photos/loosetrucks/

Recommended

Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
Odoo Code Hardening [Odoo Experience 2019]
Odoo Code Hardening [Odoo Experience 2019]Odoo Code Hardening [Odoo Experience 2019]
Odoo Code Hardening [Odoo Experience 2019]Olivier Dony
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsBallerina
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

Recommended

Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
Odoo Code Hardening [Odoo Experience 2019]
Odoo Code Hardening [Odoo Experience 2019]Odoo Code Hardening [Odoo Experience 2019]
Odoo Code Hardening [Odoo Experience 2019]Olivier Dony
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsBallerina
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friendsMažvydas Skuodas
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
t r
t rt r
t relectronicmingle01
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 

More Related Content

What's hot

AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

What's hot (20)

AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Attques web
Attques webAttques web
Attques web
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friends
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
t r
t rt r
t r
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 

Similar to Safer Odoo Code [Odoo Experience 2017]

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
«(Без)опасный Python», Иван Цыганов, Positive Technologies«(Без)опасный Python», Иван Цыганов, Positive Technologies
«(Без)опасный Python», Иван Цыганов, Positive Technologiesit-people
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]Olivier Dony
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 

Similar to Safer Odoo Code [Odoo Experience 2017] (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
(Un)safe Python
(Un)safe Python(Un)safe Python
(Un)safe Python
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
«(Без)опасный Python», Иван Цыганов, Positive Technologies«(Без)опасный Python», Иван Цыганов, Positive Technologies
«(Без)опасный Python», Иван Цыганов, Positive Technologies
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 

Recently uploaded

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 

Recently uploaded (20)

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 

Safer Odoo Code [Odoo Experience 2017]

  • 1. SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com - @odony 2017 EXPERIENCE and the pursuit thereof...
  • 2. GOALS. 1. Word about our security team 2. Framework security features 3. Evolutions 4. Recap of common mistakes
  • 3. GOAL. A word about the Odoo security team
  • 4. MISSIONS Single point of contact - security@odoo.com Priority answer (~24h) Disclosure process & policy odoo.com/security-report Questions, audit reviews, bugs,... Internal reviews (transversal) Raising awareness Security Advisories (CVEs)
  • 6. 150+ TICKETS Self-XSS FALSEPOSITIVE DKIM/DMARC Policy SSL modulus Version discl. Unexploitable XSS XSS Broken authentication Code Exec. REALTHREAT Phishing Path discl. Audit review This year...
  • 7. The visible parts of the iceberg
  • 10. THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACL Rules ODOO APPS
  • 11. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 12. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 13. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives
  • 14. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions
  • 15. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language
  • 16. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control
  • 17. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control
  • 18. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms
  • 19. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms Reduced sets of deps.
  • 23. Encrypted master password* *hashed, of course (PBKDF2-SHA512)
  • 24. Database manager can be deactivated RPC calls blocked too! --no-database-list will now block access to database management screens
  • 25. Encrypted database connections (tcp) SSL mode Eavesdrop MITM disable / / allow ? / prefer ? / require OK / verify-ca OK ~OK verify-full OK OK
  • 28. Hardened access rights on internal data Odoo 10 Odoo 11
  • 29. GOAL. Recap of common coding mistakes
  • 30. GOAL.MISTAKE #1: using eval to parse text It breaks the barrier between code and data
  • 31. GOAL.MISTAKE #1: using eval to parse text There are smarter and safer ways to parse literals Language Data type Suitable parser Python int, float, etc. int(), float() Javascript int, float, etc. parseInt(), parseFloat() Python dict json.loads(), ast.literal_eval() Javascript object JSON.parse() ... ... ...
  • 32. GOAL.MISTAKE #1: using eval to parse text And when you must eval(), be doubly careful Custom piece of logic Parametrized rendering User- provided data Worried developer
  • 33. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong
  • 34. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Nope, you can’t do that
  • 35. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Separate code vs parameters
  • 36. GOAL.MISTAKE #3: XSS vectors t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“ YES! ☺ NO! 😠 MAYBE… ☹ t-field=”task.name“ <span t-field=”task.name” t-attf-class=”o_task_{{task.state}}“ /> task_cls = ‘o_task_%s‘ % task.state task = ‘<span class=”%s”/>%s’ % ( task_cls, task.name ) ... <span t-raw=”task“/> task_cls = ‘o_task_%s‘ % escape(task.state) task = ‘<span class=”%s”/>%s’ % ( task_cls, escape(task.name) ) ... <span t-raw=”task“/>
  • 37. MISTAKE #4: careless sudo usage Keep the sudo scope as limited as possible Review 2x all calls done as super-user, watch out for leaked objects and side-effects
  • 38. And there's more... Other examples and explanations in "Top 10 rules" talk from Odoo Experience 2016. https://www.odoo.com/r/h3s
  • 39. TAKEAWAYS. The framework tries to protect you from harm... as long as you don’t bypass the protections! And it's improving year after year… Get in touch with us whenever you have security questions… security@odoo.com
  • 40. SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com 2017 EXPERIENCE and the pursuit thereof... Photos credits: https://www.flickr.com/photos/steve_rider/ https://www.flickr.com/photos/ericprunier/ https://www.flickr.com/photos/jezbags/ https://www.flickr.com/photos/150472095@N05/ https://www.flickr.com/photos/loosetrucks/