Contributors mailing list archives

contributors@odoo-community.org

Browse archives

Avatar

Re: OCA and security notices

by
GreenCloud Consulting, Juan Del Castillo Gómez
- 23/12/2020 23:42:39
+1 PSC SecDevOps Team.

Hi community,

I've a Bachelor in Telecommunications Engineering and a Master in Cybersecurity.
I've the mindset for work on security related stuff.
Professionally I've a few experience as a SOC engineer and as a SecDevOps Architecture engineer.

I already have the background and I have know how implement it strategically, so I could be member of the possible PSC SeDevOps, but actually, I'm retired from Cybersecurity.

Due to no email list neither PSC discussion team, I'm going to give you ideas about how security should be implemented, the S-SDLC, in this mail.

Security is transversal, we could have a Continious Pentesting against stage environments for preventive bugs on code before production. But is better avoid bug of code at the root.

The first concept is move security to developers to be ideally preventive. So, is the developer mindset who capture the flags at design features level and with BDD, TDD apply to security development. Then, integrate it in CI/CD(DevOps), so at the point of view of a threat modelling, security is by design and by default, at the early stage of design, for that, Sec is before than DevOps, so I propose a SecDevOps Team, because is moving security to the left.

I search a few to give you orientation guidelines to discuss about:





Regards,

Juan.


El mié, 23 dic 2020 a las 11:17, Florent Cayré (<florent@commown.fr>) escribió:
+1 for a PSC security team who would discuss with Odoo SA so that the 
team has the time to backport security fixes before the disclosure.

Security reports may come from community members after all, why not let 
the community benefit from this work?

Le 23/12/2020 à 11:47, Houssine BAKKALI a écrit :


> My first idea will be to open an issue on OCB for each security notice 


> and organize the work as it done for modules migration. What do you 


> think ? Creating a PSC team security could be another idea.

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

Reference