2022-05-24 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: May 27, 2022
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 24th of May 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

 

Log PoC results presentation by Andrew (andrew.a.lamb@est.tec).

Fluentbit sends logs to Elasticsearch and Kibana retrieves it from there.

done

About the requirement:

[REQ-1072] SECURITY LOGS FIELDS – full PoC with CPS in Kohn and then GR candidate for London.

 

LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started

 

 

 

  • SECCOM topics proposal:

    • SECCOM retrospectives:

      • Log4j fix implementation in Istanbul Maintenance Release

      • Jakarta security status update

    • Kohn security goals:

      • Global Requirements and Best Practices

      • Security PoCs:

      • logging req

      • code quality

      • service mesh

    • SBOM enablement and maintenance, and packaging

    • Waiver policy update

    • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.

    • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.

    • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?

    • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.

started

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what due diligence was performed. 

Follow-up with Kenny to be done.

 

 

SBOM

Jess to reach out LFN IT developer.

ongoing

 

 

Notary v2 vs. Cosign

cathegories to be covered: software, documentation nad SBOM.

Waiting for a feedback from Alex.

 

SECCOM requirement to be formed starting with software.

 

Last TSC meeting

Positive feedback from TSC on unmaintained projects

 

 

 

Technical debt

Last 2 slides reviewed again by Muddasar:

What PTLs consider as technical debt?

started

Reviewing technical debt related Jira items in projects backlog. Muddasar to review backlogs per project.

One slide to be prepared and then shared with PTLs and architecture subcommitee.

 

SECCOM MEETING CALL WILL BE HELD ON 7th OF June'22. 

 

 

 

 

 

 

Recording: 

 

SECCOM presentation: