"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criterion
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We do have clear text default credentials in our docker-compose files if not provided (Only used for testing) The user should override credentials and strategy around these |
Security Documentation
Documentation Architecture
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
| None available |
Assurance Case
Does your project actually meet its documented security requirements?
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
| None available |
Vulnerability Mitigation
Vulnerabilities Critical Fixed
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Yes. Critical vulnerabilities/issues are compiled by SECCOM periodically and CPS project team resolves them in-time for current/prev release. We also check sonarcloud reports on a weekly basis and if needed action is taken. |
Non-Cryptographic Software Questions
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations | |
|---|---|---|
We will receive a lot | notifications of models and data from NEs... are these trusted? Subscriptions also? |
Hardening
Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Need to discuss from java/RESTful viewpoint CPS does not have a UI and does not use javascript |
Cryptographic-specific Software Questions
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations | CPS does not include any internal module to implement cryptograph... what do we use? |
|---|
...
| N/A |
Crypto Random - Generic
Does your software use random information? If so, does it use a cryptographically secure random number generator?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | |
|---|---|---|
CPS does generate random UUIDs for notifications. CPS uses built in java libraries (java. | . is this secure?util.UUID) for UUIDs. |
Crypto Weaknesses
Does your software depend on any cryptographic algorithms or modes that have known serious weaknesses?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| N/A |
Crypto Working
Does your software depend on any cryptographic algorithms that are known to be broken?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Not that the team is aware of |
Crypto Keylength
Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| No, we don't |
Crypto Algorithm Agility
Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| This does not apply |
Crypto Certificate Verification
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|
Crypto Credential Agility
We have not switched to HTTPS. We are planning to switch using service mesh |
Crypto Credential Agility
Does your software save or process authentication credentials or private cryptographic keys? If so, is that information stored separately from other information?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| No we don't |
Crypto TLS1.2
Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We have not switched to HTTPS. We are planning to switch using service mesh |
Crypto Used Network
Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
CPS only communicates with components within ONAP Not sure what is considered to be inbound and outbound communications What is the boundary? |
Crypto Verification Private
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We have not switched to HTTPS. We are planning to switch using service mesh |