Contributors mailing list archives
Re: OCA and security noticesby
GreenCloud Consulting, Juan Del Castillo Gómez
+1 PSC SecDevOps Team.
I've a Bachelor in Telecommunications Engineering and a Master in Cybersecurity.
I've the mindset for work on security related stuff.
Professionally I've a few experience as a SOC engineer and as a SecDevOps Architecture engineer.
I already have the background and I have know how implement it strategically, so I could be member of the possible PSC SeDevOps, but actually, I'm retired from Cybersecurity.
Due to no email list neither PSC discussion team, I'm going to give you ideas about how security should be implemented, the S-SDLC, in this mail.
Security is transversal, we could have a Continious Pentesting against stage environments for preventive bugs on code before production. But is better avoid bug of code at the root.
The first concept is move security to developers to be ideally preventive. So, is the developer mindset who capture the flags at design features level and with BDD, TDD apply to security development. Then, integrate it in CI/CD(DevOps), so at the point of view of a threat modelling, security is by design and by default, at the early stage of design, for that, Sec is before than DevOps, so I propose a SecDevOps Team, because is moving security to the left.
I search a few to give you orientation guidelines to discuss about:
El mié, 23 dic 2020 a las 11:17, Florent Cayré (<firstname.lastname@example.org>) escribió:
+1 for a PSC security team who would discuss with Odoo SA so that the team has the time to backport security fixes before the disclosure. Security reports may come from community members after all, why not let the community benefit from this work? Le 23/12/2020 à 11:47, Houssine BAKKALI a écrit : > My first idea will be to open an issue on OCB for each security notice > and organize the work as it done for modules migration. What do you > think ? Creating a PSC team security could be another idea.