Users - OFBiz application security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Users - OFBiz application security

Merrill, Robert
Hey all,

We have an OFBiz-based proposal out to a client, and a competitor has
challenged it, saying that "OFBiz is not secure" compared to their
offering.

Our proposal is going to the client's board in the next few days, and
our contact at the client wants to know what to tell them.

Has anyone done a security audit or review of OFBiz, or, better yet, had
one done by a third party?

What else can truthfully be said about OFBiz application security?

Thanks!

Robert

Robert Merrill
[hidden email]
www.berbee.com
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - OFBiz application security

Si Chen-2
What are their "facts" in claiming that "OFBiz is not secure"?

Si

Merrill, Robert wrote:

>Hey all,
>
>We have an OFBiz-based proposal out to a client, and a competitor has
>challenged it, saying that "OFBiz is not secure" compared to their
>offering.
>
>Our proposal is going to the client's board in the next few days, and
>our contact at the client wants to know what to tell them.
>
>Has anyone done a security audit or review of OFBiz, or, better yet, had
>one done by a third party?
>
>What else can truthfully be said about OFBiz application security?
>
>Thanks!
>
>Robert
>
>Robert Merrill
>[hidden email]
>www.berbee.com
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>
>  
>
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - OFBiz application security

Andrew Sykes
In reply to this post by Merrill, Robert
Robert,

This sounds like a bit of a desperate claim by a competitor with nothing
much else to say!

>From a sales point of view I'd be inclined to call their bluff, ask them
to prove it!
--
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - OFBiz application security

Ian Gilbert
In reply to this post by Si Chen-2
My understanding is that Ofbiz uses standard ssl certificate based
security.  Therefore it is as secure as any other system using this
(banks, other ecommerce sites, Government departments)...  Certainly this
is how we have it configured.  I guess if you have a low grade certificate
(say 56bit) then you are more vulnerable than if you have a higher grade
(say 128 bit) one.  There are probably costs involved with this.

As was pointed out on the list a while ago there are some default settings
that, if they are not changed (accounts for example) will allow easy
access to the system but these are covered in the production guide.  Some
allegations were made again a few weeks ago regarding security but these
were not followed up with examples or explanations.

Again I understand that Ofbiz implements role based security where you can
give different users access to different parts of the system depending on
characteristics of their permissions.  I think that these are all wrapped
up within ssl (so you have to get through that to actually change them).

I am a long way from being a security expert and I would be very
interested to know if this is not the case.  There is a fair bit on
security in the wiki and some of the associated documents.

Very best wishes

Ian Gilbert



On Mon, March 6, 2006 15:24, Si Chen wrote:

> What are their "facts" in claiming that "OFBiz is not secure"?
>
>
> Si
>
>
> Merrill, Robert wrote:
>
>
>> Hey all,
>>
>>
>> We have an OFBiz-based proposal out to a client, and a competitor has
>> challenged it, saying that "OFBiz is not secure" compared to their
>> offering.
>>
>> Our proposal is going to the client's board in the next few days, and
>> our contact at the client wants to know what to tell them.
>>
>> Has anyone done a security audit or review of OFBiz, or, better yet,
>> had one done by a third party?
>>
>> What else can truthfully be said about OFBiz application security?
>>
>>
>> Thanks!
>>
>>
>> Robert
>>
>>
>> Robert Merrill
>> [hidden email] www.berbee.com
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.ofbiz.org/mailman/listinfo/users
>>
>>
>>
>>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
>
>


 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - OFBiz application security

BJ Freeman
In reply to this post by Merrill, Robert
I am saying this more so you can form you responses to the competitor.
There are many levels of security.
since ofbiz is a work in progress doing a security audit, like laid out
in Visa's PCI Compliance relative to securing CC information, would be
very costly. if you do a Google search you will find those that do this.
here is one http://www.scanalert.com/Content.sa?sec=4&sub=2

So you can have the audit on the instance of the ofbiz you are providing
your client, and will have to provide an audit every time you make
changes to the code.

Next if they bring up that they used a demo to evaluate the security,
Then you can query if they used the Configuration manual provided by
ofbiz before the evaluation.


Merrill, Robert sent the following on 3/6/06 7:24 AM:

> Hey all,
>
> We have an OFBiz-based proposal out to a client, and a competitor has
> challenged it, saying that "OFBiz is not secure" compared to their
> offering.
>
> Our proposal is going to the client's board in the next few days, and
> our contact at the client wants to know what to tell them.
>
> Has anyone done a security audit or review of OFBiz, or, better yet, had
> one done by a third party?
>
> What else can truthfully be said about OFBiz application security?
>
> Thanks!
>
> Robert
>
> Robert Merrill
> [hidden email]
> www.berbee.com
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - OFBiz application security

Ruth Hoffman
In reply to this post by Merrill, Robert
Hi Robert:
Having seen this same tactic employed in many a sales situation,
especially when the opponent has nothing to loose. The first thing I
always did was go on the offensive by asking for some proof. All
Internet facing applications deal with pretty much the same security
challenges. These challenges are many and varied and for you and your
contact to start taking a defensive posture without having something
more specific than "OFBiz is not secure" is a no-win situation.

I worked for a number of software companies as a sales engineer and this
was a favored sales ploy used primarily when we didn't have anything
else to throw at the competition. If nothing else, it muddied the waters.

Just my 2 cents. BTW, I'd say without reservation, that compared to
other packages I've seen, the ability to configure the level of secure
access and perimeter controls is as good or better than most. And that
is what is most important - support for flexible configuration of:
authentication/authorization; user and session management; data
protection; transaction integrity; disaster recovery and the like - and
not any one specific feature or passing an audit.

Again, my 2 cents.
Ruth

Merrill, Robert wrote:

>Hey all,
>
>We have an OFBiz-based proposal out to a client, and a competitor has
>challenged it, saying that "OFBiz is not secure" compared to their
>offering.
>
>Our proposal is going to the client's board in the next few days, and
>our contact at the client wants to know what to tell them.
>
>Has anyone done a security audit or review of OFBiz, or, better yet, had
>one done by a third party?
>
>What else can truthfully be said about OFBiz application security?
>
>Thanks!
>
>Robert
>
>Robert Merrill
>[hidden email]
>www.berbee.com
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>
>  
>
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users