Quick Answer
Security audits systematically find vulnerabilities before attackers exploit them. The problem: Vulnerability in payment module = attacker exploits = 5,000 cards stolen = $2M-$5M cost (breach, fines, lawsuits). Discovery timeline: 8 months. The solution: Regular security audits = find vulnerability before exploitation = fix in 3 days = $5k cost. Three-layer framework: (1) Automated scanning (2 hours): SAST (Bandit, SonarQube = scan code for SQL injection, hardcoded credentials, XSS), DAST (OWASP ZAP, Burp Suite = test running system), Dependency scanning (Safety, pip-audit = check packages for CVEs). (2) Manual code review (8 hours): Review payment processing, authentication, data access, API integrations. Check hardcoded passwords, raw SQL, missing validation, access control gaps. (3) Penetration testing (16 hours annual): Simulate real attacker, test authentication bypass, privilege escalation, unauthorized data access, exploit vulnerabilities. Real CVE example: CVE-2024-36259 (Odoo 17) = improper access control in mail module = 100k+ instances affected = findable in 15-min audit = $200k-$1M breach cost per instance. Remediation: Critical fixes within 7 days, high within 30 days, medium within 90 days. Continuous: Automate scans in CI/CD pipeline (GitHub Actions, GitLab CI). Impact: Without audits = vulnerabilities found by attackers first = $500k-$5M damages. With quarterly audits = zero breaches, rapid remediation, zero breach costs.
The Security Audit Crisis
Your D2C runs Odoo with custom modules and third-party extensions. A critical vulnerability exists in a payment module but nobody knows. A hacker exploits it and steals customer payment data.
Scenario A: No Security Audits
- 1. Vulnerability exists in payment module
- 2. Attacker discovers vulnerability via automated scanning
- 3. Attacker exploits it remotely
- 4. 5,000 customer payment cards stolen
- 5. Attacker sells data for $500,000
- Timeline to discovery: 8 months (when customer reports fraud)
- Cost: $2M-$5M (breach, fines, lawsuits)
Scenario B: Regular Security Audits
- 1. Scheduled security audit (quarterly)
- - Automated scan finds vulnerability in payment module
- - Manual code review confirms high severity
- 2. Vulnerability fixed immediately
- - Module updated, tested, deployed
- - Time to remediation: 3 days
- 3. Customer data protected
- Timeline to discovery: 0 (before exploitation)
- Cost: 40 hours of audit work ($5,000)
The difference: $5M breach vs. $5K in audit costs. Security audits are the best $500-$2,000 investment D2C brands make.
We've implemented 150+ Odoo systems. The ones with quarterly security audits? Zero data breaches, vulnerabilities found before exploitation, rapid remediation, zero breach costs. The ones without? Vulnerabilities discovered by attackers first, data stolen, $500K-$5M in damages. That's completely preventable.
Why Vulnerabilities Stay Hidden
| Reason | Why It Happens | Impact |
|---|---|---|
| No testing | Developers don't test for security, only functionality | SQL injection, XSS undetected |
| Third-party modules | Install from Odoo Apps Store without security review | Backdoors, malware possible |
| Outdated dependencies | Don't update Python packages regularly | Known CVEs exploitable |
| Complex codebase | 100+ modules, 50k+ lines of code | Vulnerabilities buried deep |
| Time pressure | Rush to deploy features, skip security review | Insecure code in production |
Real CVE Example (2024)
Three-Layer Audit Framework
Layer 1: Automated Scanning (2 hours)
SAST (Static Application Security Testing)
Scan your custom code for vulnerabilities
Tools: Bandit, SonarQube, Pylint
Finds: SQL injection, hardcoded credentials, XSS
DAST (Dynamic Application Security Testing)
Test running Odoo system for vulnerabilities
Tools: OWASP ZAP, Burp Suite
Finds: Authentication bypass, server misconfiguration
Dependency Scanning
Check all Python packages for known vulnerabilities
Tools: Safety, pip-audit, Snyk
Finds: Outdated libraries with exploitable CVEs
Layer 2: Manual Code Review (8 hours)
Review critical functionality:
Payment processing code
Authentication/authorization logic
Data access patterns
API integrations
Check for:
Hardcoded passwords/API keys
Raw SQL queries (should use ORM)
Insufficient input validation
Missing access control checks
Layer 3: Penetration Testing (16 hours - annual)
Simulate real attacker:
Test authentication mechanisms
Attempt privilege escalation
Try to access unauthorized data
Exploit potential vulnerabilities found in Layers 1-2
Tool 1: Bandit (Python Security Scanner)
# Install
pip install bandit
# Scan your Odoo modules
bandit -r /odoo/addons/custom_module/
# Example output:
# >> Issue: [B608:hardcoded_sql_string]
# Possible SQL injection vector
# Location: models/invoice.py, line 45
# Severity: HIGH
# Confidence: MEDIUM
# Generate report
bandit -r /odoo/addons/ -f json > bandit-report.jsonCommon Findings from Bandit
SQL Injection Risk
# ❌ VULNERABLE: Hardcoded SQL
query = "SELECT * FROM res_partner WHERE id = " + str(partner_id)
# ✅ SECURE: Use ORM
partner = self.env['res.partner'].browse(partner_id)Hardcoded Credentials
# ❌ VULNERABLE: Hardcoded credentials
password = "admin123"
api_key = "sk_live_123456789"
# ✅ SECURE: Use environment variables
import os
password = os.environ.get('DB_PASSWORD')
api_key = os.environ.get('STRIPE_API_KEY')Pickle Deserialization
# ❌ VULNERABLE: Pickle deserialization (code execution risk)
import pickle
data = pickle.loads(untrusted_data)
# ✅ SECURE: Use JSON
import json
data = json.loads(untrusted_data)Tool 2: Safety (Dependency Scanner)
# Install
pip install safety
# Check for vulnerable packages
safety check > safety-report.txt
# Example output:
# [CRITICAL] django 3.0.0 has vulnerability CVE-2021-44720
# Upgrade to: django>=3.2.9
#
# [HIGH] requests 2.28.0 has vulnerability CVE-2023-32681
# Upgrade to: requests>=2.29.0
# Check specific requirements file
safety check -r requirements.txtTool 3: SonarQube (Enterprise Quality & Security)
# Install SonarQube (Docker)
docker run -d --name sonarqube \
-p 9000:9000 \
sonarqube:latest
# Configure project
cat > sonar-project.properties << EOF
sonar.projectKey=odoo_custom
sonar.projectName=Odoo Custom Modules
sonar.sources=/odoo/addons/custom_modules
sonar.language=python
sonar.python.bandit.reportPath=bandit-report.json
EOF
# Run analysis
sonar-scanner \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login=admin:password
# Access dashboard: http://localhost:9000Example SonarQube Dashboard
Complete Quarterly Audit Example
Scenario: D2C with custom modules, third-party integrations, payment processing.
Month 1: Setup & Baseline Audit
# Step 1: Collect all code
find /odoo/addons -name "*.py" -type f > codelist.txt
echo "Found $(wc -l < codelist.txt) Python files to scan"
# Step 2: Run automated scans
bandit -r /odoo/addons -f json > bandit-report.json
safety check -r /odoo/requirements.txt > safety-report.txt
# Step 3: Review results
grep -i "HIGH\|CRITICAL" bandit-report.json
grep -i "CRITICAL" safety-report.txt
# Step 4: Create findings list
cat > audit-findings-q1.md << EOF
# Q1 2025 Security Audit
## Critical Issues (Fix within 7 days)
1. SQL injection in payment_processor.py (Line 45)
- Severity: CRITICAL
- Impact: Database compromise
- Fix: Use ORM instead of raw SQL
2. Hardcoded API key in integration_module.py (Line 123)
- Severity: CRITICAL
- Impact: API compromise
- Fix: Use environment variable
## High Issues (Fix within 30 days)
3. Missing input validation in invoice.py
4. Outdated cryptography library (CVE-2025-xxxx)
5. Weak password policy configuration
## Medium Issues (Fix within 90 days)
6. Missing error logging in sales module
7. Insufficient rate limiting on API endpoint
EOFMonth 2: Remediation & Testing
# Fix all CRITICAL issues first
# Example fix: SQL injection
# BEFORE (vulnerable):
invoice_id = request.params['id']
invoices = self.env.cr.execute(
"SELECT * FROM account_invoice WHERE id = " + invoice_id
)
# AFTER (secure):
invoice_id = request.params.get('id', 0)
invoices = self.env['account.invoice'].search([('id', '=', invoice_id)])
# Test the fix
python -m pytest tests/test_invoice_security.py -v
# Re-scan to verify fix
bandit -r /odoo/addons/custom_module/ | grep "payment_processor.py"
# Output: (No HIGH/CRITICAL issues found)
# Deploy to staging
git commit -m "Fix: SQL injection in payment_processor.py"
git push origin main
# Run full regression tests
pytest tests/ -v --covMonth 3: Validation & Reporting
# Re-run all scans to verify fixes
bandit -r /odoo/addons -f json > bandit-report-fixed.json
safety check -r /odoo/requirements.txt > safety-report-fixed.txt
# Generate executive summary
cat > audit-summary-q1.md << EOF
# Q1 2025 Security Audit Summary
## Timeline
- Start Date: 2025-01-01
- Completion: 2025-03-31
- Total Effort: 26 hours
## Findings by Severity
- Critical: 2 (RESOLVED)
- High: 3 (RESOLVED)
- Medium: 7 (RESOLVED)
- Low: 12 (RESOLVED)
## Key Improvements
✓ Eliminated all SQL injection risks
✓ Secured hardcoded credentials
✓ Updated 15 vulnerable dependencies
✓ Implemented input validation on all APIs
✓ Strengthened password policy
## Vulnerability Metrics
Before Audit: 24 vulnerabilities
After Audit: 0 vulnerabilities
Remediation Rate: 100%
## Recommendations
1. Implement automated scanning in CI/CD pipeline
2. Conduct security training for development team
3. Schedule penetration test for Q2 2025
4. Implement WAF (Web Application Firewall)
EOFPenetration Testing (Annual)
Scope Definition
| Category | Items |
|---|---|
| IN SCOPE | External Odoo interface, REST APIs, Payment integration, Custom authentication, Database access control, File upload functionality |
| OUT OF SCOPE | Third-party payment processor (Stripe), HR system (separate vendor), Email infrastructure (external provider) |
| RULES | Mon-Fri 8AM-6PM, Notify security@company.com before starting, Stop if system unavailable or data loss risk, Do not exfiltrate customer data |
Penetration Tester Activities
1. Authentication Bypass: Default credentials, password reset flaws, session hijacking
2. Privilege Escalation: Can normal user become admin? Can sales rep access HR data?
3. API Testing: Missing authentication on endpoints, improper input validation, rate limiting bypass
4. Common Vulnerabilities: SQL injection, XSS, CSRF attacks, file upload exploits
5. Documentation: Screenshots of exploits, step-by-step reproduction, business impact analysis
Continuous Audit Integration
# .github/workflows/security-audit.yml
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# SAST Scanning
- name: Bandit Security Scan
run: |
pip install bandit
bandit -r . -f json > bandit-report.json
# Dependency Check
- name: Safety Dependency Check
run: |
pip install safety
safety check --json > safety-report.json
# Quality Scanning
- name: SonarQube Analysis
uses: SonarSource/sonarqube-scan-action@master
env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Fail if critical issues found
- name: Check for Critical Issues
run: |
critical_count=$(grep -c '"severity": "CRITICAL"' bandit-report.json || true)
if [ $critical_count -gt 0 ]; then
echo "Found $critical_count critical issues!"
exit 1
fiAction Items: Implement Security Audits
Immediate (Week 1)
❏ Install automated scanning tools (Bandit, Safety, SonarQube)
❏ Run baseline scan of all custom code
❏ Check all dependencies for known vulnerabilities
❏ Document all critical/high findings
Short-term (Month 1)
❏ Fix all CRITICAL vulnerabilities (within 7 days)
❏ Fix all HIGH vulnerabilities (within 30 days)
❏ Update all outdated dependencies
❏ Test fixes in staging environment
Ongoing (Quarterly)
❏ Schedule quarterly security audits
❏ Run automated scans before each release
❏ Review and remediate findings within SLA
❏ Document audit results and remediation
Annual
❏ Conduct professional penetration test
❏ Review overall security posture
❏ Update security policies based on findings
❏ Plan infrastructure improvements
Frequently Asked Questions
What tools should I use for Odoo security audits?
Use a combination of SAST, DAST, and dependency scanning tools. SAST (Static Application Security Testing): Bandit (Python security scanner, finds SQL injection, hardcoded credentials, XSS), SonarQube (enterprise code quality + security), Pylint (Python linter with security checks). DAST (Dynamic Application Security Testing): OWASP ZAP (open-source web app scanner), Burp Suite (professional penetration testing platform). Dependency scanning: Safety (Python package vulnerability scanner, checks CVEs), pip-audit (official Python audit tool), Snyk (commercial with free tier). Installation: pip install bandit safety; docker run sonarqube. Usage: bandit -r /odoo/addons -f json > report.json; safety check -r requirements.txt. Best practice: Run all three types in quarterly audits, automate Bandit + Safety in CI/CD pipeline.
How often should I conduct security audits on Odoo?
Quarterly automated audits + annual penetration testing. Quarterly (every 3 months): Run automated scans (Bandit, Safety, SonarQube = 2 hours), manual code review of critical modules (payment, authentication = 8 hours), remediate findings (critical within 7 days, high within 30 days, medium within 90 days). Total effort: 10-15 hours per quarter. Annual (once per year): Professional penetration testing (simulate real attacker, test authentication bypass, privilege escalation, exploit vulnerabilities = 16 hours), infrastructure security review, update security policies. Continuous (every commit): Automated SAST/DAST in CI/CD pipeline, block deployment if critical issues found. Trigger audits on: After installing third-party modules, before major releases, after security incidents. Statistics: Companies with quarterly audits = zero breaches. Companies without = $500k-$5M in damages.
What are the most common vulnerabilities found in Odoo custom modules?
Top 5: SQL injection, hardcoded credentials, XSS, missing access control, outdated dependencies. 1. SQL injection: Raw SQL queries instead of ORM (query = "SELECT * FROM res_partner WHERE id = " + str(id) = VULNERABLE; use self.env['res.partner'].browse(id) = SECURE). 2. Hardcoded credentials: API keys, passwords in code (password = "admin123" = VULNERABLE; use os.environ.get('DB_PASSWORD') = SECURE). 3. Cross-site scripting (XSS): Unescaped user input in templates, missing input validation. 4. Missing access control: No @api.model or record rules, users can access unauthorized data. 5. Outdated dependencies: Old Python packages with known CVEs (requests 2.28.0 has CVE-2023-32681, upgrade to 2.29.0+). Detection: Bandit finds #1-3 automatically, manual code review for #4, Safety finds #5. Real example: CVE-2024-36259 (Odoo 17) = improper access control in mail module = 100k+ instances affected.
How do I automate security scanning in my Odoo CI/CD pipeline?
Integrate Bandit and Safety into GitHub Actions or GitLab CI. GitHub Actions example: Create .github/workflows/security-audit.yml with jobs: (1) Bandit scan (pip install bandit; bandit -r . -f json > report.json), (2) Safety check (pip install safety; safety check --json > safety-report.json), (3) SonarQube analysis (use SonarSource/sonarqube-scan-action), (4) Fail build if critical issues (grep -c "CRITICAL" report.json > 0 = exit 1). Trigger: on: [push, pull_request] = runs on every commit. Result: Blocks deployment if critical vulnerabilities found, forces developers to fix before merge. GitLab CI: Similar setup in .gitlab-ci.yml with security_scan stage. Best practice: Run full SAST/DAST on every PR, quick Bandit scan on every commit, schedule nightly full audit with SonarQube. Integration time: 1-2 hours initial setup, zero ongoing maintenance.
Quarterly Security Audit Service
Stop accepting unknown vulnerabilities. We'll run automated SAST/DAST scanning, conduct manual code review of critical modules, check all dependencies for vulnerabilities, generate detailed audit report, prioritize findings by severity, and help with remediation planning. Most D2C brands skip security audits. A single undetected vulnerability costs $500K-$5M.