Cloud Infrastructure (Servers)
BiTS is a proud recipient of sponsorships from AWS, Microsoft Azure and IBM. BiTS hosts all data on leading clouds including AWS, Microsoft Azure and IBM. Our cloud service providers and partners are frequently audited to pass the most rigorous multi-tier security standards to achieve accreditation and certifications including ISO 27001, SOC1 and SOC2. Our cloud service partners also afford excellent Distributed Denial of Service (DDoS) mitigation strategies which help to keep your service running round the clock.
Managed Cloud Customers have their service and data hosted only in the trusted data centers listed above unless otherwise explicitly disclosed. Every data center provides and exceeds the following criterion for physical security:
Restricted perimeter, physically accessed by authorized data center employees only
Physical access control with security badges or biometrical security
Security cameras monitoring the data center locations 24/7
Security personnel on site 24/7
Service Automation and Delivery Stack*
BiTS uses a bleeding-edge stack of enterprise grade server technologies to deliver robust performance, scalability and security.
BiTS invests heavily in automation to minimize human intervention and the possibility of operator error.
We leverage technologies such as Ansible, Jenkins, Git and Marathon-LB to deliver optimal service health through continual updates and data backups.
BiTS uses container technology (Docker) extensively adding additional layers of security through virtualization, isolation and continual vulnerability scans.
Our managed hosting customers can put their minds at ease knowing that their services are running on hardened Linux distributions with up-to-date security patches. Our networks are continually monitored to reduce possible attack vectors.
*Applies to our managed cloud hosting service. Implementation features may vary for custom cloud infrastructure. BiTS' baseline managed hosting solution evolves continuously as we adapt to meet ever changing challenges in a dynamic technological landscape.
Backups (Disaster Recovery)
Your business continuity is our top concern. With this in mind BiTS automates backups and keeps geo-redundant copies in case of a disaster.
You can expect that at a minimum your data will be backed up and retained*:
Daily for 7 days (7 backups)
Weekly for 4 weeks (4 backups)
Monthly for 3 months (3 backups)
Total of 12 backups
For customers with data on a PostgreSQL database (e.g. BiTS) your data is also continually archived (near real-time backups) as a primary point of recovery should your service fail. In such an event automatic recovery should have your system back online within 5 - 10 minutes.
*In the event of system failure:
Recovery Point Objective is 24 hours, max of 24 hours data loss in event of daily backup restoration
Recovery Time Objective is 30 minutes for managed cloud customers
Please request documentation for your application(s) from your service representative if it is not available on this page.
OdooCommunity (Managed Cloud)
More Eyes Means More Security
BiTS is open source, so the whole codebase is under continuous scrutiny by a global community of users and developers. Not all open source applications are secure, however OdooCommunity is unique in that its user base is in the millions and this has supported a global network of passionate developers and engineers (including our team at BiTS) who work constantly to improve security.
Version Control and Traceability
At BiTS careful quality assurance processes, including multiple code review steps, help to improve security and stability for end users when new software is deployed to extend BiTS's core functionality. Commits and changes are 100% traceable via our GIT repositories and deployment logs.
BiTS always performs local unit tests, staging tests and where necessary additional intermediary steps to ensure that any code reaching your production environment is both secure and robust.
Software Architecture (Highlights)
OdooCommunity is designed in a way that prevents introducing most common security vulnerabilities:
SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries
XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data
The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities
Other Important Information
Customer data is stored in a dedicated database - no sharing of data between clients.
Data access control rules implement complete isolation between customer databases running on the same cluster, no access is possible from one database to another.
Your passwords are protected with industry-standard PBKDF2 + SHA512 encryption (salted + stretched for thousands of rounds). BiTS staff do not have access to your password, and cannot retrieve it for you. If you lose your credentials we will only be able to reset them with a valid instruction from you.
Login credentials are always transmitted securely over HTTPS.
BiTS support staff may, with your consent, sign into your account to access settings related to your support issue. For this they use credentials, not your password(s). All activity is logged at the application and server levels. Passwords are always rotated immediately and returned to the customer for a reset and safekeeping. You stay in control of your data.
You never need to share your password(s)!
Our support staff strive to respect your privacy as much as possible. We endeavour to access only the files and settings needed to diagnose and resolve your issue.
Audits and Reporting
BiTS performs ongoing audits on code and receives bug reports both from customers and third parties hired to review code and perform penetration tests on staging systems. The BiTS Security Team acts quickly and appropriately to take necessary corrective measures. For the security of our users we cannot and do not disclose these results however
We accept security reports via email here:
Please click on the link above to download our PGP public key. We recommend using this key to encrypt your emails to our security team.
Please include as much information as possible, including the detailed steps to reproduce the problem, the versions that are affected, the expected results and actual results. Text-based bug descriptions (such as application logs) accompanied with a proof-of-concept script/exploit help us to react faster and more efficiently. If you are a security researcher or developer please contact email@example.com to register your interest.
BiTS and Open Web Application Security Project (OWASP)
Top Open Web Application Security Project (OWASP) security concerns:
CONCERN #1 INJECTION FLAWS: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
RESPONSE #1: OdooCommunity relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.
CONCERN #2: Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
RESPONSE #2 The OdooCommunity framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as "safe" for raw inclusion into rendered pages.
CONCERN #3: Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
RESPONSE #3: The OdooCommunity website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user genuinely accessed the relevant website form, and an attacker cannot forge a request without it.
CONCERN #4: Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
RESPONSE #4: BiTS does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.
CONCERN #5: Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
RESPONSE #5: BiTS access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulation those references, because every request still has to go through the data access validation layer.
CONCERN #6: Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
RESPONSE #6: OdooCommunity uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all.
CONCERN #7: Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
RESPONSE #7: BiTS managed cloud customers are all served content over HTTPS by default. We also implement strict encryption protocols in all proxy layers.
CONCERN #8: Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly
REPONSE #8: OdooCommunity access control is not implemented at the user interface level, and the security does not rely on hiding special URLs. Attackers cannot circumvent the access control layer by reusing or manipulating any URL, because every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data, such as special URLs customer use to confirm an order, these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.