Versions Compared

Version Old Version 29 New Version 30
Changes made by

Stephen terrill

Stephen terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ONAPseccom-API_security.pptxheight

27-11-2018--ONAP-Beijing-Security-Assessment.pdf250


ONAP Beijing CIS Benchmark for K8S test: CIS_Kubernetes_1.1.xlsx


Risk Assessment table (still under development and not yet mature): ONAP Risk Assessment table v 0 8.xlsx


name


2018-11-30 Security by design.pptx

 

TimeTopicTopDriver/PresenterDescription
28 November


9:00 - 9:15Status of the Casablanca Priorities  (SECCOM-82)Amy

Review the Casablanca security achievements    18_11_28_ONAPCasablancaSecurityPrioritiesStatus.pptx

9:15 - 10:00Outline Dublin Security Priorities (SECCOM-73)Stephen

Create the Dublin security priorities draft to review with seccom and present to the TSC 2018-11-14 Dublin Security - RequirementsV2.pptx

10:00 - 10:30Vulnerability Management Process Review (SECCOM-63)Pawel/Robert

Updates to the vulnerability management process


10:30 -10:45 Break

10:45 11:15Silver CII Badging (SECCOM-79)Amy

Determine the Silver requirements the projects need to focus on for Dublin and the requirements that are met by the overall ONAP processes  18_11_28_ONAPDublinCIISilverRequirements.pptx

11:15 - 12:00

Relationship between vulnerability reviews and release gates

(relates to security by design (SECCOM-75))

Amy

Lessons learned from the Beijing and Casablanca reviews

Enumerate the vulnerability mitigates tasks for each milestone and release candidate. This will help the projects schedule package upgrades, replacements, and the development of compensating controls early in the release cycle. 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx

12:00 - 1:00 Lunch

1:00 - 1:45Vulnerability handling clarifications (SECCOM-88 Amy

Create a simple workflow that will be used to explain the vulnerability remediation and documentation process to the PTLs 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx (see page 5)

1:45 - 2:30 API Security (SECCOM-80)Natacha

Review the ETSI API security recommendations and requirements

View file
name250
2:30 - 2:45 break


2:45 - 3:00Risk Assessment Review (SECCOM-81)Pawel/Samuli

Review the findings from the risk assessments

Discuss the questionnaire proposed by Robert to help identify risk in projects

ONAP Beijing Security Assessment (DB & Kubernetes)

View file
nameheight
3:00 - 4:00 Risk Assessment Overall Plan.  Also in (SECCOM-81)Pawel/Samuli

Define the scope of the risk assessment and the plan to complete the assessment

Focus on some selected areas of risk

4:00-4:15 Break

4:15 -5:00 wrap up

29 November


9:00 - 10:00 1hr ONAP Communication Security RequirementsPawelReview communication security between ONAP components and ensure that the transactions exchange between the different components are secure (Authentication, Authorization, Confidentiality)
10:00 - 10:30Security by design (SECCOM-75)Stephen

What guidelines are required to projects and the milestones to place security first and foremost.

  • Project security documentation
  • Project communication policy to OOM
  • Overall ONAP security documentation
  • Test cases
  • No XSS vulnerabilities in GUIs
  • input validation on all GUIs and APIs
  • Test driven development
View file
height250
10:30-10:45 Break

10:45-11:15 Security Guidelines (SECCOM-93)ZygmuntDevelop a plan to document the security of ONAP
11:15-12:30 Discussion and Review  Action ItemsAmyReview the meeting; assign action items
12:30-1:30Lunch

1:30-4:00 Backup if needed
Additional discussions among participants still available

...