At a time when IT security has never been higher on the business agenda, a key figure in the Open Source Software community is hoping to put the Open Source Enterprise Resource Planning Solution (ERP), Odoo, through a full network security penetration test after launching a global crowdfunding campaign.
Stuart J Mackintosh, who previously supported the UK Cabinet Office on its Open Source and standards strategy, hopes to raise up to £25,000 with the campaign, and has pledged to use all monies raised on investigating the security of Odoo to aid future development of the software. Mackintosh has said that even if he does not reach his crowdfunding target amount, he will still use any money raised to enhance the security of the popular ERP software.
NCC Group, a global information assurance specialist which has one of the world's largest and most experienced penetration testing teams, will conduct the security testing. The plan is to raise enough money to facilitate NCC Group to provide independent verification, a report and analysis of the security risks in Odoo illustrating any weaknesses in the application that could be exploited, and to perform a thorough and comprehensive penetration test covering policy, procedure, and design of the software. Such a test would be the first time Odoo, one of the most widely used ERP applications in the world, has been subject to formal stringent security testing and Mackintosh said that this project will not just have ramifications on the Open Source market, but on the wider software world as well.
He explained: "Odoo already has the potential to be one of the most secure ERP systems available, because it is designed with Internet best practices so sets the security bar at web standard, rather than at ERP standard. Many proprietary ERP systems are built on pre-internet frameworks and were designed to be accessed internally, not hosted on the cloud or exposed to the hostile Internet, and this is where security issues become serious.
"We all know the ERP marketplace is not 100% secure but Odoo has the opportunity to become the most secure ERP secure globally if this campaign is successful. Odoo is the only contender in the marketplace to be both secure and functional and not only could this campaign ensure that, but, more importantly, it raises the issue of security for the wider ERP world and asks other vendors what steps they will take to make their systems more secure."
Stuart J Mackintosh has also enlisted the support of one of the first UK integrators of Odoo, OpusVL, a company that will work together with NCC Group to carry out the security audit. OpusVL has previous experience working with NCC Group after commissioning the organisation to carry out tests on its Flexibase product, used by financial and retail customers.
The crowdfunding campaign is already live on Indiegogo and Mackintosh is urging everyone, not just the Open Source community, to get behind the initiative.
"If Odoo was not an Open Source product, a campaign such as this would not be possible and we would not be so empowered to resolve any security issues that the report identifies," he said.
"But this is about more than giving Odoo users a more secure ERP solution, it's about making an investment into the future security of the wider ERP industry. It's a chance for all software users to support another market option maturing and put pressure on their vendors for enhanced security. With the UK government and healthcare sectors committing to an Open Source future, it is essential that we can validate that this is a more secure option than any other alternative."