Application: Automate security reporting

[jaysonmc]

Requested by security

• Automate generation of report that demonstrates security controls/compliance

---

Relevant recurity controls

Before allowing production operations, perform a vulnerability scan of the solution environment and apply any required updates and patches. Where possible, integrate vulnerability remediation into the continuous development process. & Before allowing production operations, perform penetration testing and/or run-time vulnerability assessment against publicly accessible interfaces and apply any necessary corrective measures such as patches.

[jaysonmc]

https://odoo.covid-dev.dts-stn.com/

[jaysonmc]

https://odoo.covid-staging.dts-stn.com/

[jaysonmc]

https://odoo.covid-prod.dts-stn.com/

[jaysonmc]

https://gccode.ssc-spc.gc.ca/iitb-dgiit/itse/security-knowledge-portal/-/wikis/Developer-Community/Security-Tools#devsecops-security-tools

AVM list of AVM tools may be helpful

[jaysonmc]

https://github.com/gcdevops/OdooSecurityTooling

[e-wu]

Security Code Scan

• [ ] https://securitylab.github.com/tools/codeql
• [ ] https://snyk.io/

Web Application Testing

• [x] OWASP Zap

Docker Image Scan

• [x] Anchore

Central Reporting tool

• [x] Owasp Security Dojo

[e-wu]

Security Dojo is used as our reporting tool. There are two reports currently leveraged:

1. Anchore scan
   To perform the scan, go to README
2. OWASP ZAP (local scan - not the most ideal) a. Startup Odoo from repository OdooDocker by docker-compose up b. Startup OWASP ZAP from OdooSecurity and follow instruction in **README docker instructions. c. After setting up the proxy, browse the Odoo Application.

What remains

1. Need the initial database imported before security scan runs
2. Add to CI/CD to send the data automatically to SecurityDojo.