Odoo security management - what’s involved with hosting and maintaining Odoo for safety and stability

We decided to post this article as a follow-up to Odoo’s recent security advisory email (from December 2021). This article aims to provide a simplified outline of what to look for when hosting your own Odoo ERP instance to ensure it runs securely and reliably. It gives some basics about our setup and practices for our ERP cloud and Odoo ecommerce clients, serving as an example.

Odoo lives in an environment filled with interdependencies. There are many “moving” parts and many points of potential vulnerability. To host Odoo, you need to set up a multitude of building blocks in your infrastructure. The Odoo Community and Odoo Enterprise code are only part of that puzzle.

Please note that any software versions mentioned in this article are valid at the time of writing, but may not be in the future as updates become available.

Security advisories from Odoo

Odoo periodically releases security advisories, though not necessarily at the same time as the fixes are made in Odoo’s code. You can find active advisories at any time by going to one of these two links:

• For Odoo Enterprise: https://www.odoo.com/security-advisories (you need an Enterprise license to see them)
• For Odoo Community: https://github.com/odoo/odoo/issues?q=is%3Aissue+label%3ASecurity

For example, Odoo’s security advisory email sent to users in December 2021 included fixes that were implemented in the early months of 2021, not recent fixes or even those made in the past few days or weeks. At the bottom of each advisory, you will find a list of links to the actual patches in GitHub, where you can view the release date of each patch.

With Steersman’s Odoo ERP Cloud, the majority of the security threats from the latest advisory list were not applicable. The payment and website-related vulnerabilities were not present (our apps had those risks excluded from the start), and we incorporated all relevant patches as soon as Odoo initially released them. We monitor updates and incorporate them into our system on a weekly basis.

Hosting Odoo – servers, software components, and making it all run securely

To allow Odoo to do its thing, you need to store Odoo data and run a variety of processes. In terms of physical hardware, you can “store” and “process” on a single server, or you can have your database and processing hardware separate. You can also have multiple servers for storage or processing (or both) to provide failovers and storage redundancy in case of hardware issues. To access Odoo and have it interact with you and others, you also need to add network and infrastructure components, some of which may require their hardware or software.

Each piece/component of the puzzle (software app, library, etc.) requires a procedure in place for obtaining the latest updates, including testing to ensure that each update is stable and doesn’t conflict with other system components.

• For some “components,” you need to monitor for updates, check them for compatibility, and just pull them in.
• For other “components,” your team must develop fixes and test them before releasing them into your production environment.

This part is important: you must maintain/update EVERYTHING, not just the code from Odoo. Each software component may have its vulnerabilities, any of which could make your Odoo setup vulnerable or unreliable.

Let’s group things to simplify. The following is what we suggest as building blocks for a robust, mission-critical setup, because if something fails, you lose serious money:

Compute/processing servers

These servers run your operations/code. Many layers of applications must be installed, and Odoo is one of the topmost layers. The software components are:

• Linux Kernel
• Operating System (OS) – Linux
• JavaScript dependencies
  • JavaScript is a language that runs on Odoo users’ web browsers, and while system admins can encourage their users to keep their browsers updated, for the most part, this is outside of an Odoo admin’s control.
  • JS dependencies needed for Odoo include a multitude of third-party libraries that enable various processes to work correctly. Such dependencies are maintained mainly by their creators/managers independently: they release their own security improvements, enhancements, and changes. You most likely would not be doing your own security maintenance on JS dependencies.
  • Steersman checks and pulls JS dependency updates approximately weekly for its managed ERP cloud
• Python interpreter
  • The interpreter is a software component that translates human-readable Python code into actual machine instructions.
  • The Python community is actively working on performance, security, and stability improvements. It’s best to use the latest compatible version, as you may find yourself at a disadvantage otherwise.
  • Steersman’s Odoo ERP Cloud always uses the latest stable version that’s compatible with all the various parts, and we check/pull updates for Python almost every week. At the time of writing this article, we are using Python 3.8, and although Python 3.9 and 3.10 are currently available, Odoo and third-party modules are not yet fully compatible.
• Python dependencies
  • Similar to JS dependencies in that they enable various functionality, Python dependencies differ in that they are installed on a server, and therefore, Odoo admins have full control over maintenance.
  • It is possible to wrap these dependencies in a virtual environment, as we have done at Steersman, which isolates them from other server components and makes it easier to achieve full compatibility between the OS, Python, Python dependencies, and Odoo.
  • You can find the full list of all the Python dependencies for Odoo here: https://github.com/odoo/odoo/blob/15.0/requirements.txt - they are all separately maintained and may all have critical security patches released periodically
  • In addition to Odoo’s 50 or so dependencies mentioned in the list above at the time of writing, 3^rd-party and in-house customization modules add approximately 40 more dependencies to keep track of.
  • Steersman checks and pulls updates almost every week for its managed ERP cloud.
  • It’s important to note that sometimes it makes sense to keep a slightly older version of a dependency to avoid breaking functionality elsewhere, but this should be an exception that’s corrected as soon as possible.
• Odoo Community
  • Odoo Community is the largest section of Odoo code.
  • Odoo maintains the codebase and regularly releases fixes and patches. You most likely would not be doing your own security maintenance of Odoo’s code.
  • Steersman checks and pulls Odoo Community dependency updates approximately weekly for its managed ERP cloud
• Odoo Enterprise
  • Odoo Enterprise is comprised of a large layer of code/modules added on top of Odoo Community.
  • Odoo maintains this codebase. You most likely would not be doing your own security maintenance on Odoo’s code.
  • Steersman checks and pulls Odoo Enterprise dependency updates approximately weekly for its managed ERP cloud
• Third-party Odoo modules
  • Third-party apps can be procured through Odoo’s app store or directly from their makers.
  • The creators of the apps may maintain their app code, releasing patches for security or compatibility with updates released by other “components” of the Odoo environment.
  • Depending on the provider of the third-party app, there is a risk that an app may lack adequate security. You should check every third-party app you incorporate for security vulnerabilities, probably via a manual code review.
• Odoo customizations
  • Whatever customizations you or your developers create for your own Odoo are your responsibility. You should have the bandwidth to make necessary updates in cases of incompatibility or as other issues arise.

Database server

It will store your Odoo data. Software components needed to run this include:

• Linux Kernel
• Operating System (OS) – Linux
• PostgreSQL
• PostgreSQL plugins

Specific actions required to maintain your databases will depend on your particular configuration.

• Self-managed / on-premises:
  • All four components listed above
• Same server with Odoo
  • Similar to self-managed, but OS updates will likely be a general task
• Managed services (optimal option)
  • A few examples are:
    • AWS RDS for PostgreSQL
    • AWS Aurora RDS for PostgreSQL
    • Azure PostgreSQL
    • Google Cloud SQL for PostgreSQL
  • Can be configured to apply minor updates automatically without any downtime.
  • Major updates must be scheduled by system admins, but are generally much easier to perform than in unmanaged environments.
  • These managed services also keep their underlying infrastructure (including OS and kernel updates) updated.

As you can see, utilizing managed services is the most effective option for database management.

Network and other infrastructure components

• Email gateway
• File storage
• Caches
  • Not necessary, but can significantly improve performance and usability
  • Examples:
    • In-memory key-value stores such as Redis or memcached
    • CDN such as CloudFront, CloudFlare, Akamai, Fastly, etc.
• Firewalls
  • Stateful Web Application Firewalls
  • Basic ACLs
• Load balancers
• Remote admin access, VPN, IP restrictions, etc.

Infrastructure software components done, Odoo management and best practices next

Once you have all the software components established and running, there are still other things to consider and set up.

A good general practice to follow is Zero Trust Architecture (read more about it on the NIST.gov site here). This is the general approach Steersman uses for our code development and management. Best practices make security “natural” – you either always do things properly, and then reliability is naturally ensured, or you are continuously putting out fires.

Monitoring for potential issues

• You must maintain the code to keep things stable and secure
• To know what updates are available and important, you must either:
  • Monitor all the involved applications, dependencies, services – a constant abundance of work
  • Automate your infrastructure to continuously check for updates – a large initial undertaking, but saves time on an ongoing basis
• Identify code updates and improvements, make sure they don’t conflict with other parts of the system, and pull them into your servers.

Monitoring for existing issues

• You must have proper logging to be able to fight against attacks and investigate issues (like bugs causing errors for users), but getting it right might be tricky.
  • Not enough logging, and you don’t have the necessary data to block hackers or debug
  • Log too much and risk making the log itself a potential security issue. It’s important to thoroughly log login failures, credit card failures, expired or inconsistent user sessions, but avoid logging sensitive data.
• Logs should be composed in such a way that they provide you with all the necessary data you need to troubleshoot an issue, but would make for a boring read to a potential attacker.
  • For example, log the exact time and error code associated with a failed transaction, but leave out any identifying information such as customer name, card number, etc.

Protection – protecting data, maintaining usability

Setting up a firewall requires a balance between protection, cost, and usability. Complicated firewall rules may require faster hardware or higher cloud solution costs, but they might be necessary to achieve a good balance between protection and usability.

• Malicious attacks should be identified and quickly blocked or neutralized
  • Manual attack mitigation is time-consuming and typically only starts when it reaches criticality (outage happens)
  • A properly configured firewall can block the majority of malicious activity
• Search engine crawlers and other bots (for websites)
  • Good bots, like Google crawlers, make your site discoverable or bring other benefits, but they can also crawl so vigorously that they may overload it. The site must remain operational at all times, even when Google is actively scanning it.
  • Bad bots may crawl looking for vulnerabilities, scraping your data, or engaging in a variety of other unwanted behaviors, and it’s vital to try to block as many of them as possible.
• Temporary system overload happens and requires an automated solution to minimize downtime. There are always peak times, times when you get hit by a bot a bit too aggressively, or when you are under an attack. Regardless of the cause, you need to keep things running:
  • Autoscaling – upgrade to a larger server capacity based on load.
  • Failovers – switch to another processing or storage server if one crashes.
  • Load balancing systems to share the load across multiple processing servers to maintain an even load per server.
• Access key management is an ever-growing source of possible security issues. Technology that generated safe keys 10 years ago can easily be hacked today.
  • Moore’s law dictates that computing power roughly doubles each year, which applies as much to your operation as it does to the technology available to hackers intent on breaking in.
  • Using RSA for key management continues to be popular despite being notoriously problematic with many security issues. It’s conceptually simpler than other protocols; however, this also makes it extremely prone to misuse.
  • As we get closer to the reality of quantum computing, ensuring access security becomes even more concerning, so it’s essential to stay up to date on all technological advancements to keep your operation secure.

Procedures and compliance

Whatever safety mechanisms exist in your systems, if users write credit card numbers on paper or save their passwords on sticky notes under their keyboards, there are risks that bad actors will gain access. For certain data types and industries, you may benefit from getting in compliance with specific regulations or standards.

• PCI compliance for payment processing
• ISO for procedures and access
• NIST regulations on access and other
• HIPAA
• Etc.

Let’s wrap this up

Hosting and managing security for complex business systems, such as ERP systems and ecommerce websites, is a significant task. However, if you set up your infrastructure well from the start, diligently manage the quality of your code, and perform regular updates (updating everything at least every two weeks), each maintenance run can be quick and mostly straightforward. Alternatively, you can work with Steersman, and we’ll take care of everything, keeping you ahead in the security game.