Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of April 2022.
2 tickets created at LFN IT:
- IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP
- IT-23829 Hardening LFN hosted ONAP project web sites
Bruno mentioned:
- Security review
- dynamic tool analysis
- Runtime asertion
| Jira No | Summary | Description | Status | Solution | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| LFN Developer & Testing Forum | Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/ | started | ||||||||
SECCOM topics proposal:
| started | Topic proposals to be submitted. Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration. Bug in SBOM software - ticket was opened to LFN IT by Vijay. | ||||||||
| ONAP unmaintained and deprecated functions | Amy presented process for all possible use cases with execution and planning phases. Slide deck with modifications included
| started | Modifications to be provided by Amy based on the discussion held - done | |||||||
| Logging update | Majority of the fields implemented in CPS. 2 topics to be addressed:
| ongoing | Synch with Byung on architecture. | |||||||
| Synch with OOM |
1.SDC-3954 - open 2.SDNC-1692 - open 3.OOM-2957 -open
1.OOM-2958 - open 2.INT-2104 - open |
Muddasar presented a proposal for 5Y assessment model:
Assesment should be for a ONAP project as a whole. Report should be actionable - movement rule from level to the other is defined. It should also include process or tool improvement recommendation.
We could use SAMM tool and some of our and their questions to have quick and easy asessment. Risk/threat model to be used.
Asessment models are usually based on interviews.
Ticket was opened to SDNC: https://jira.onap.org/browse/SDNC-1691 log file was removed from the Wiki.
Confirmation e-mail to be sent to Kohei by Amy.
-LF Security conformance - Byung
Amy saw presentation of LF CEO
-Unmaintained projects proposals - Byung
We focus on Portal first and then on AAF.
Fabian provided a presentation:
In clean as you code developer shall be motivated.
Quality gate conditions shall be generalized.
Usage of Sonarlint allows for faster detection (on the fly) comparing to Conarccloud.
Security hotspots, we need to have a reviewer in this arrea that would do the action (e.g. acknowledge). Jiras were setup in a special way.
Commercial tool provides a way to fix the issue.
| ongoing | Michał to run additional run to get status update. As none of the tickets were progressed - issue to be escalated at the TSC. | |||
| Kohn SECCOM Global Requirements | -[REQ-437 -> REQ-800] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8) -[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11) -[REQ-439 -> REQ-863] -> REQ-1066 -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL | started | Logging requirment - target full PoC for Kohn and then Global Requirement for London release. | |
| 5Y asessment | Dedicated teams in projects for security. We have security tests at the Integration level but usually no delegated security expert. | ongoing | Hardening validation process might not exist at all for some ONAP projects. | |
SECCOM MEETING CALL WILL BE HELD ON 26th OF April'22. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|