Versions Compared

Old Version 6

changes.mady.by.user Joseph Keenan

Saved on

compared with

New Version 7

changes.mady.by.user Lee Anjella Macabuhay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criterion

...

Table of Contents


Jira Legacy
serverSystem ONAP Jira
serverId4733707d425b2b0a-2057557c-3a0f3c0c-ae5eb515-4fd8aff50176579789cceedb
keyCPS-1140

Security Knowledge

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
Yes, the majority of the CPS team & PTL are aware of security best practices and are experienced in mitigation and vulnerability resolution.

Implement Secure Design

Do the committers and PTL apply secure design principles when reviewing software for merging?

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations
Yes CPS team/PTL/committers review and look for security issues and recommend fixes before merging.

Know Common Errors

Do the committers and PTL understand commonly found errors (and how to counter or mitigate them)? Do they apply these principles when reviewing software for merging?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
Yes, the CPS team & PTL are aware of common security risks and how to mitigate them. There is are also security checks in our CI pipeline

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

We do have clear text default credentials in our docker-compose files if not provided (Only used for testing)The user should . The users of CPS are expected to override credentials and strategy strategies around these these.


Security Documentation

Documentation Architecture

...

Your Answer-Please DescribeSECCOM Feedback / Recommendations
Yes, CPS architecture doc documentation can be found @ https://docs.onap.org/projects/onap-cps/en/latest/architecture.html 

...

Your Answer-Please DescribeSECCOM Feedback / Recommendations

None available.


Assurance Case

Does your project actually meet its documented security requirements?

...

We will receive a lot of from NEs... are these trusted? 

Subscriptions also?

Your Answer-Please ExplainSECCOM Feedback / Recommendations

Our application expects (any) client to upload models and data

to be stored.

These models and data are validated via OpenDayLight Yang parser. These are only stored once the parser accepts that it is valid and returns an exception for invalid models and data.


Hardening

Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?

...

Need to discuss from java/RESTful viewpoint

Your Answer-Please ExplainSECCOM Feedback / Recommendations

CPS does not have a UI and does not use javascript

...

The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. 



Cryptographic-specific Software Questions

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS does generate random UUIDs for notifications. CPS uses These UUIDs are generated via the built in java libraries (java.util.UUID)for UUIDs.


Crypto Weaknesses

Does your software depend on any cryptographic algorithms or modes that have known serious weaknesses?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
No, we don'tCPS does not generate any keys

Crypto Algorithm Agility

Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
We have

CPS has not switched to HTTPS

. We are planning

but the plan is to switch

using service mesh

...

to enabling service mesh which should take care of HTTPS/TLS encapsulation.

There has been a POC created as part of this plan. **


Crypto Credential Agility

Does your software save or process authentication credentials or private cryptographic keys? If so, is that information stored separately from other information?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations
No we don'tCPS does not store or save authentication credentials, the only information saved by CPS is data and models either via client's input or initial input from the application start up.

Crypto TLS1.2

Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?

...

We have . We are planning using service mesh
Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS has not switched to HTTPS

but the plan is to switch

to enabling service mesh which should take care of HTTPS/TLS encapsulation.

There has been a POC created as part of this plan. **


Crypto Used Network

Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?

...

Not sure what is considered to be inbound and outbound communications

What is the boundary?
Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS only communicates with components within ONAP

.

CPS's only communication is through HTTP.

CPS uses KAFKA, as a listener in KAFKA we use PLAINTEXT communication, which is also KAFKA's default for communication.



Crypto Verification Private

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

We have CPS has not switched to HTTPS . We are planning but the plan is to switch using service meshto enabling service mesh which should take care of HTTPS/TLS encapsulation.

There has been a POC created as part of this plan. **