Versions Compared

Old Version 8

changes.mady.by.user Muddasar Ahmed

Saved on

compared with

New Version 9

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criteria [security-review G]

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
Yes. Majority of DCAE committers and PTL are generally familiar with secure software development practice and experienced in vulnerability resolution. The CLM scan reports and OJSI tickets are periodically assessed by the same PTL/committers.<Muddasar>Are there any efforts/means within DCAE team to ensure all contributors and committers are familiar with Sec-SDLC practices?  CLM Scans and OJSI tickets are scanned, what is the efficacy of such reviews?  Is it reducing downstream discoveries of issues?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
PTL/most committers do understand and make effort to mitigate these errors during reviews. A session on security/quality checkpoints will be organized for London to get all new committers up to speed. 

<Muddasar>. Could we use this opportunity to record and save the session?  this may be helpful for new team members.

Amy Zwarico the findings and recommendations from SonarCloud will help educate the developers

No Leaked Credentials

Do the committers and PTL verify that there are no non-test credentials and no non-test private keys in code to be merged?

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations
Yes, all DCAE patches are verified to ensure non-test credentials/private keys are not included in the code/repositories

<Muddasar> can this be associated with a scan report to reduce human errors?  SCAN for credentials be part of testing.

Amy Zwarico  use SonarCloud to find any embedded credentials

Security Documentation

Documentation Architecture

...

Your Answer-Please DescribeSECCOM Feedback / Recommendations
Yes. Documented under this wiki DCAE Security Design & Assurance <Muddasar>. description is clear on the link provided. It is a good effort.  Wondering if this information is added to DCAE user documentation.  Also, CONSUL app protection and data protections should be considered some where, it is not in scope for DCAE, is it inscape somewhere else?

...

Your Answer-Please DescribeSECCOM Feedback / Recommendations
Yes. Documented under this wiki DCAE Security Design & Assurance 

<Muddasar> wiki does not constitute documented security requirements.  it merely tells what DCAE team usually do.  This area can be improved to describe Security requirements and aligned with how these are met.

Amy Zwarico SECCOM developed security requirements years ago.

Vulnerability Mitigation

Vulnerabilities Critical Fixed

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations
Mostly YES.  Majority of the projects have no/minimal vulnerabities and blocker issues reported from SONARCLOUD for DCAE components - https://sonarcloud.io/organizations/onap/projects?search=dcaegen2&sort=-coverage

<Muddasar>. this can be termed as a quality matrix.  days open/TTR etc  should be tracked.  self induced vs  external, or code, review, test escape/

Amy Zwarico Agreed. That data is available in SonarCloud, but at the moment we cannot get the API working. (sad)

Vulnerabilities Fixed 60 Days

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations
Yes. Critical vulnerabilities/issues are compiled by SECCOM periodically and DCAE project team resolves them in-time for current/prev release.

<Muddasar>. this can be termed as a quality matrix.  days open/TTR etc  should be tracked

.  self induced vs  external, or code, review, test escape/

.  self induced vs  external, or code, review, test escape/

Amy Zwarico  there is a small vulnerability team that manages this. It is very rare to get a vuln reported against the ONAP platform. 99% are reported against LF tools such. Agreed that ONAP should track.


Non-Cryptographic Software Questions

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

DCAE has different types of components/microservices

Collectors: All DCAE collectors interface with external network element (trusted/untrusted depending on protocol/interface) however data validation is done in most cases.

VESCollector/HV-VES - Data validation done on event receipt and rejected if non-conforming to the expected spec. Both collectors are expected to recieve data from any xNF.

  • DFC/RESTConf/SNMPTrap - Data validation done during post processing of the events in the northbound flow. DFC and RESTConf accepts events only from configured xNF, SNMPTrap collector is listener services accepts any traps sent to it.

EventProcessors/Analytics - These components do not accept data from external sources (i.e outside ONAP) and work through data coming via DMAAP (internal to ONAP)

<Muddasar>. shouldnt collectors validate data source/sender ?  known vs unknown sender and degree of trust ?

Amy Zwarico There should be tests for all external interfaces that include fuzzing, etc.

Hardening

Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

Majority of DCAE services are complaint. There are no C/C++ code in DCAE repositories hence compiler flags related questions do not apply.

DL-Admin has a web (user) interface which is not complaint with all hardening requirements listed; it also stores external DB credentials (TBD if data is encrypted/hashed when persisted in DB).

<Muddasar> How should we measure security vulnerability stemming from unharden code?  vulnerabilities discovered after integration stage, release stage may be?

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

No such known dependency exist currently.

Need to ensure DL-Admin updates planned are compliant with this requirement in future release.

Amy Zwarico SonarCloud finds broken algos in TLS and other crypto in the code

Crypto Keylength

Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

Not currently however need to ensure DL-Admin updates planned are compliant with this requirement in future release.

Amy Zwarico standard configurations of TLS generally support multiple ciphers


Crypto Certificate Verification

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
Yes, all DCAE component support mininum TLSv1.2 (when enabled for HTTPS)

Amy Zwarico there is an integration test that checks for TLS and I think for the version.


Crypto Used Network

Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
All DCAE components uses standard libraries for HTTPS calls (java components use java11 libraries and python components uses request library). These lib's are externally managed and we believe these requirements for certificate verification before sending HTTP headers are being met.  

<Muddasar>. use of standard libraries does not mean certification verification being applied.  can some one confirm Java11 behavior?

@