...
| Jira No | Summary | Description | Status | Solution | Google is investing in open source security | Google is investing $1 million in the Linux Foundation's Secure Open Source (SOS) pilot program to make open source projects more secure (Amy). Payment for fixing the bugs. According to Google, SOS is "the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF (Open Source Security Foundation)," a cross-industry forum that collaborates on the improvement of open source software security. Samuli shared also: https://openssf.org/ | started | Kubernetes hardening | https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/ ,v2 version is coming! New tool Kube-scape based on like Kube-bench based on CIScat guidance. Kube- | ongoing | Angular experience on dependencies | Nexus-IQ has some capabilities, Jarred's tool is doing something what NEXUS-IQ does not, so he is building dependency tree of the application written by Amy's tem as oppose to do anything to do with third party packages. We are not capturing as of today repos that nobody is using them. Nexus views is a new feature. Jared's approach allows for inter project dependencies based on AST (work based on source code) vs. Nexus-IQ based on POM files (no reference to the code itself). | ongoing | To leverage on NEXUS-IQ APIs - some resources could contribute - Bob will make a query. | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SonarCloud findings | ongoing | SonarCloud cleaning is needed - list projects and open a ticket to LFN to remove the projects that are not participating. | SCA automation efforts update | access granted to Nexus-IQ reports and restricted Wiki | ongoing | Bob and Shean might be consulted. | Feature template follow-up | Muddasar had a meeting with Alla. Muddasar is preparing a slide deck to be presented at the TSC. | ongoing | Slides with the proposal to be presented at the TSC - first draft by end of this week or next week | [REQ-441] | New Global Requirement | [REQ-441] LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – PROPOSAL FOR JAKARTA. | ongoing | Next PTLs meeting on 18th of October - agendaAAF replacement with ISTIO & Envoy & Open- Source Authentication & Authorization | Byung presented reasons why not to using ONAP AAF. Uniform open-source standard-based architecture (ISTIO and Envoy based) was discussed. OOM team for Instanbul release tried to achieve mTLS Service 2 Service communication. Only commmunication to service via proxy allowed. Please refer to attached slides in the bottom of this page. | ongoing | We need the flow matrix - Byung might share. More information about policy to be provided by Byung. | |
| New Jira ticket template | Tracebility is crucial here. Muddasar shared deck on new Jira ticket template. Goal is to use an existing ticketing system. | ongoing | comparizon analysis to be prepared by Muddasar. | ||||||||||||||||
| SBOM update | SPDX has become ISO standard. New version to come in next few months. | ongoing | Slides to be shared with Kenny by Muddasar. | ||||||||||||||||
| ONAP code quality improvement | Work in Progress, Fabian received an e-mail last week - name of Kevin Sandy from LFN will be contacted. Eric Debau is also involved, | ongoing | Kevin Sandy from LFN to be contacted. | Software BOMs | NTIA recommended minimal requirements will not be met from POM file, soe upsrtream integration will be needed - Muddasar and Sean are woeking on it. | ongoing | Update next week expected. | ||||||||||||
| Jakarta best practices review | -[REQ-xxx] SECURITY LOGS FIELDS - multiple reqs or one per field? -[REQ-xxx] Feature intake template -[REQ-xxx] Using basic image from OOM -[REQ-xxx] Software BOMs – more informative, no impact on pipeline, is it a single BOM for whole ONAP or atomic level, any usit should have its own BOM file. | ongoing | To be confirmed if LFN would run SBOMs, as LFN signes the ONAP code. Kenny to be addressed.PTLs meeting update |
| ongoing | Working session on Friday to continue the discussion. | |||||||||||||
| Synch with Integration | Fabian met Integration team last week for the tools around security. | To be checked if all tools used for security are still usefull. Study to be performed for the Kubescape | |||||||||||||||||
| Friday's calls | We keep on using Friday's calls for topics to be discussed. | ongoing | |||||||||||||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 26th OF OCTOBER'21. |
...
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|
- AAF replacement with Service-Mesh and Open-Source Security, AAF-CADI_Replacement_W_ISTIO-Envoy-MutualTLS.pptx
...