Experienced Cybersecurity Consultants / Consultancy Required for Odoo ERP Technical Security Audit

Posted 3 weeks ago

Worldwide

Summary

Budget: USD 10,000 Fixed Price Engagement Type: Milestone-based delivery Project Type:Technical Security Audit, VAPT, Source Code Review, ERP Security Assessment Platform: Odoo ERP with PostgreSQL, Ubuntu Linux, Custom Python Modules, APIs and Integrations We are looking for experienced cybersecurity consultants or a specialist consultancy to deliver a full technical security audit of an Odoo ERP environment. The selected consultant or firm must have strong hands-on experience in ERP security assessments, vulnerability assessment, penetration testing, Odoo security, Python source code review, API security, PostgreSQL database security, infrastructure hardening, and compliance mapping. **Proposal Submission Requirement** Interested consultants or consultancies must submit a formal proposal in **Microsoft Word format** covering the following: * Understanding of the scope * Proposed technical approach * Project delivery methodology * Standard timeline * Milestone-wise delivery plan * Team structure and roles * Tools and technologies to be used * Sample deliverables or report format, if available * Similar project references * Assumptions, dependencies and exclusions * Commercial confirmation within the USD 8,000 fixed budget This is a fixed-budget engagement of USD 10,000, and the delivery must be structured through clear project milestones, documented methodology, and formal deliverables. **Scope of Work** The selected consultant / consultancy will be expected to cover the complete technical security audit scope, including but not limited to: 1. **ERP Security Architecture Review** * Review Odoo ERP architecture, deployment model, environment segmentation, trust boundaries, network exposure and integration points. * Assess security risks across application, database, network, API and infrastructure layers. 2. **Infrastructure and Server Security Review** * Review Ubuntu Linux servers hosting Odoo application components. * Assess patching, kernel currency, SSH hardening, firewall rules, exposed ports, SSL/TLS configuration, load balancer, WAF and network segmentation. * Perform credentialed and non-credentialed vulnerability assessment. 3. **Odoo Platform and Application Security Assessment** * Review Odoo version, exposed services, security misconfigurations, DB Manager exposure, production safety settings, session security, authentication, authorization and business logic controls. * Assess Odoo-specific risks such as unsafe server actions, QWeb/template injection, sudo misuse, record-rule bypass, ACL weaknesses, group hierarchy issues and access control gaps. 4. **Source Code Review** * Review custom-developed and modified Odoo Python modules. * Identify risks such as insecure use of eval/exec, raw SQL injection, command injection, unsafe deserialization, insecure file handling, hardcoded secrets, poor input/output encoding and insecure dependency usage. * Use SAST tools where required, but all findings must be manually validated. 5. **API Security Assessment** * Review XML-RPC, JSON-RPC, REST/custom API endpoints and integration APIs. * Test for OWASP API Top 10 risks including broken object-level authorization, broken function-level authorization, excessive data exposure, mass assignment, injection, authentication gaps and missing rate limiting. 6. **PostgreSQL Database Security Review** * Review database roles, privileges, pg_hba configuration, encryption, replication security, backup security, audit logging, database activity monitoring and sensitive data exposure. * Assess least-privilege implementation and database hardening. 7. **Identity and Access Management Review** * Review account lifecycle, RBAC, ACLs, ir.rule configuration, privileged accounts, UID 1/admin access, password policies, SoD conflicts and MFA readiness. 8. **Integration Security Assessment** * Review third-party integrations, data exchange flows, API keys, secrets management, TLS enforcement, trust boundaries and third-party access risks. 9. **Security Logging, Monitoring and Compliance Assessment** * Review audit trails, logging coverage, retention, alerting, SIEM readiness and incident detection capability. * Map findings against relevant frameworks such as OWASP, CIS, ISO 27001, NIST CSF and applicable internal security requirements. **Expected Methodology** The consultant / consultancy must follow a structured and evidence-driven approach, including: * Inception and scope confirmation * Rules of Engagement and NDA confirmation before testing * Environment mapping and access validation * Reconnaissance and discovery * Architecture and configuration review * Vulnerability assessment * Manual penetration testing * Odoo-specific security testing * Python source code review * API and integration security testing * PostgreSQL database security review * Risk rating using CVSS v3.1 * Business impact analysis * Remediation guidance * Re-testing and remediation validation * Final closure report and knowledge transfer All testing must be non-destructive, conducted within approved testing windows, and should not disrupt the production environment. **Required Deliverables** The selected provider must deliver the following: 1. Inception Report covering confirmed scope, methodology, project plan, test windows, access requirements and resource plan. 2. Technical Security Assessment Report with executive summary, methodology, detailed findings, evidence, CVSS v3.1 risk ratings, business impact and remediation steps. 3. Vulnerability Register with severity, affected asset, evidence, recommendation, owner, status and target remediation date. 4. Gap Analysis Report mapped to relevant security standards and control areas. 5. Executive Presentation for management-level review. 6. Remediation Validation Report after re-testing Critical, High and Medium findings. 7. Final Closure Letter confirming completion, residual risks and acceptance status. 8. Knowledge transfer session with the technical team. **Required Experience and Certifications** Applicants must demonstrate experience in similar ERP, Odoo, application security or infrastructure security assessments. Preferred certifications include one or more of the following: * CISSP * OSCP * CISA * CEH * ISO 27001 Lead Auditor * GWAPT * GPEN * GXPN * Odoo certification * PostgreSQL DBA certification Consultancies should provide details of the proposed delivery team, including role, experience, certifications and availability. **Suggested Milestone Structure** Applicants are requested to propose a milestone-based delivery model. As a guideline, the following structure may be used: * Milestone 1: Inception, scope confirmation, RoE, access validation and project plan * Milestone 2: Infrastructure, architecture, Odoo platform and configuration review * Milestone 3: Vulnerability assessment, penetration testing, source code review and API testing * Milestone 4: Database, IAM, integration security, logging and compliance review * Milestone 5: Draft report, client review, final report and executive presentation * Milestone 6: Remediation validation, re-testing and closure report **Important Notes** * This is a fixed-budget project of USD 8,000. * Only experienced consultants or firms with relevant ERP/Odoo/security audit experience should apply. * Generic VAPT-only profiles without Odoo, ERP, API, database and source code review experience may not be suitable. * The final report must be evidence-based, technically detailed and suitable for submission to senior management and technical stakeholders. * All findings must be manually validated before inclusion in the report. Please apply only if you can submit a professional Word proposal covering your approach, timeline, methodology, milestones, team profile and relevant experience.

  • $10,000.00

    Fixed-price
  • Expert
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
ISO 27001
Information Security
Activity on this job
  • Proposals:15 to 20
  • Last viewed by client:3 weeks ago
  • Interviewing:
    4
  • Invites sent:
    0
  • Unanswered invites:
    0
About the client
Member since Feb 3, 2022
  • United Arab Emirates
    Abu Dhabi12:33 AM
  • $570 total spent
    11 hires, 4 active
  • 8 hours

Explore similar jobs on Upwork

Security and Compliance SpecialistFixed-price‐ Posted 2 weeks ago
Network Security
Information Security
Penetration Testing
Security Analysis
B2B Sales Partner for CybersecurityHourly‐ Posted 2 weeks ago
B2B Marketing
Sales
Outbound Sales
Telemarketing

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo