Is there an ERPNext Security Officer?

Dale_Scott · February 18, 2018, 2:02am

Hello all, I was giving a presentation last week and was asked asked to explain how ERPNext code is validated from a security perspective, and if Frappe employed a cyber-security professional (e.g. CISSP certification). The list of Frappe staff on About Us does not appear to show anyone specifically tasked with security. Has anyone else dealt with this topic? If so, how did you handle it?

A common response to the security question in open source communities is “It’s open source, just look at the code yourself”, but clients a) don’t want the work of auditing ERPNext themselves or b) the liability. @rmehta does Frappe have an official comment on this? Are end-users expected to employ a service provider with security credentials if they need formal assurance of security? I understand it is impossible for Frappe to provide assurances related to the hosting environment, but it would also be extremely inefficient for each end-user (or their service provider) to do their own security audit (if even practically possible).

Cheers,
Dale

revant_one · February 18, 2018, 9:51am

If anyone encounters any security issue it is reported

check open and closed issues with security label

You can see https://snyk.io checks the PRs sent to frappe and erpnext.

Along with security officer we need to have community volunteers for security List of module volunteers - #37 by revant_one

Good thing about being a free software community, multiple parties can conduct multiple independent audits and share insights or fixes.

For foundation members I’ve put this up on agenda for next call :

https://discuss.frappe.io/t/erpnext-foundation-meeting-on-1st-march-2018/33997

lernlink · May 23, 2018, 1:44pm

What was the result of the foundation meeting?

here is an example how the great moodle.org project is dealing with serurity issues:
https://docs.moodle.org/dev/Moodle_security_procedures