Hello all, I was giving a presentation last week and was asked asked to explain how ERPNext code is validated from a security perspective, and if Frappe employed a cyber-security professional (e.g. CISSP certification). The list of Frappe staff on https://frappe.io/about does not appear to show anyone specifically tasked with security. Has anyone else dealt with this topic? If so, how did you handle it?
A common response to the security question in open source communities is “It’s open source, just look at the code yourself”, but clients a) don’t want the work of auditing ERPNext themselves or b) the liability. @rmehta does Frappe have an official comment on this? Are end-users expected to employ a service provider with security credentials if they need formal assurance of security? I understand it is impossible for Frappe to provide assurances related to the hosting environment, but it would also be extremely inefficient for each end-user (or their service provider) to do their own security audit (if even practically possible).