SYSTEM SECURITY

System Security (The Platform)

Backups / Disaster Recovery

We keep 14 full backups of each database installation for up to 3 months: 1/day for 7 days, 1/week for 4 weeks, 1/month for 3 months.
Backups are replicated in at least 3 different data centers, on at least 2 different continents.
The actual locations of our data centers are specified below.

Hardware failover: for services hosted on bare metal, where hardware failure is possible, we implement local hot standby replication, with monitoring and a manual failover procedure that takes less than 5 minutes.


Disaster recovery: in case of complete disaster, with a data center entirely down for an extended period, preventing the failover to our local hot-standby (never happened so far, this is the worst-case plan), we have the following objectives:
RPO (Recovery Point Objective) = 24h. Clients can lose max 24h of work if the data cannot be recovered and we need to restore your latest daily backup.
RTO (Recovery Time Objective) = 24h to restore the service in a different data center if a disaster occurs and a datacenter is completely down.
How is this accomplished: we actively monitor our daily backups, and they are replicated in multiples locations on different continents. We have automated provisioning to deploy our services in a new hosting location. Restoring the data based on our backups of the previous day can then be done in a few hours (for the largest clusters).
We routinely use both the daily backups and provisioning scripts for daily operations, so both parts of the disaster recovery procedure are tested all the time.

System Security

All Cloud Servers are running hardened Linux distributions with up-to-date security patches.
Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack for example).
Limited support engineers have clearance to remotely manage the servers – and access is only possible using an encrypted personal SSH keypair, from a computer with full-disk encryption.

Credit Card Safety

We never store credit card information on our own systems.
Your credit card information is always transmitted securely directly between you and our PCI-Compliant payment acquirers.

Communications

All data communications to client instances are protected with state-of-the-art 256-bit SSL encryption (HTTPS).
All internal data communications between our servers are also protected with state-of-the-art encryption (SSH).
Our servers are kept under a strict security watch, and always patched against the latest SSL vulnerabilities, enjoying Grade A SSL ratings at all times. All our SSL certificates use robust 2048-bit modulus with full SHA-2 certificates chains.

Database Security

Customer data is stored in a dedicated database – no sharing of data between clients.
Data access control rules implement complete isolation between customer databases running on the same cluster, no access is possible from one database to another.

Password Security

Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds).
BrandHub staff do not have access to any user passwords, and cannot retrieve it on behalf of any client, the only option if lost it is to reset it.
Login credentials are always transmitted securely over HTTPS.
Customer administrators also have the option to configure the rate limiting and cooldown duration for repeated login attempts.

 

Password policies: Client administrators have a built-in setting for enforcing a minimum user password length. Other password policies like required character classes are not supported by default because they have been proven counter-productive – see e.g. [Shay et al. 2016]).

Staff Access

BrandHub helpdesk staff may sign into your account to access settings related to your support issue. For this they use their own special staff credentials, not your password (which they have no way to know).
This special staff access improves efficiency and security: they can immediately reproduce the problem the client is seeing, and the client never has to share their password, and we can audit and control staff actions separately!
Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and settings needed to diagnose and resolve your issue.

Physical Security

Cloud servers are hosted in trusted data centers in various regions of the world (e.g. OVH, Google Cloud), and they must all exceed our physical security criterions:

  • Restricted perimeter, physically accessed by authorised data center employees only.
  • Physical access control with security badges or biometrical security.
  • Security cameras monitoring the data center locations 24/7.
  • Security personnel on site 24/7.

Network Defense

All data center providers used by Odoo have very large network capacities, and have designed their infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental networks, before it gets the chance to disrupt service availability. Firewalls and intrusion prevention systems on Odoo servers help detect and block threats such as brute-force password attacks.

Odoo Security (The Software)

Software Security

Odoo is open source, so the whole codebase is continuously under examination by Odoo and other users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. We encourage developers to audit the code and report security issues.
The R&D processes have code review steps that include security aspects, for new and contributed pieces of code.

See also the OWASP Top Vulnerabilities section to see how Odoo is designed from the ground up to prevent such vulnerabilities from appearing.

Secure by design

Odoo is designed in a way that prevents introducing most common security vulnerabilities:

  • SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries.
  • XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data.
  • The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities.

Independent Security Audits

The system is regularly audited by independent companies that are hired by our customers and prospects to perform audits and penetration tests. The Security Team receives the results and takes appropriate corrective measures whenever it is necessary.
We can’t however disclose any of those results, because they are confidential and belong to the commissioners.
The system also has a very active community of independent security researchers, who continuously monitor the source code and work with us to improve and harden the security of the system.

OWASP Top Vulnerabilities

Top security issue for web applications, as listed by the Open Web Application Security Project (OWASP):

Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
The system relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.

Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
The system does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.

Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorisation.
System access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulating those references, because every request still has to go through the data access validation layer.

Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. The system runs on HTTPS by default.

Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
The system framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as “safe” for raw inclusion into rendered pages.

Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
The website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user genuinely accessed the relevant website form, and an attacker cannot forge a request without it.

Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
The system uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all.

Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
System access control is not implemented at the user interface level, and the security does not rely on hiding special URLs. Attackers cannot circumvent the access control layer by reusing or manipulating any URL, because every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data, such as special URLs customers use to confirm an order, these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.

Hosting Services

Hosting Locations: customer databases are hosted in the Odoo Cloud Region closest to where they are based, and can request a change of region (subject to availability):

  • Americas: Canada , United States
  • Europe: France , Belgium
  • Asia & Pacific: Singapore, Taiwan
  • Middle East & Southern Asia: India

Backup Locations: backups are replicated on multiple continents in order to meet our Disaster Recovery objectives, and are located in the following countries, regardless of the original hosting region:

  • Canada
  • France
  • Belgium
  • Netherlands

Note: it is not possible to choose or restrict the backup locations, backups are replicated on at least 3 of these locations. Hosting data only within EU is not supported.