Versions Compared

Old Version 20

changes.mady.by.user Lee Anjella Macabuhay

Saved on

compared with

New Version 21

changes.mady.by.user Lee Anjella Macabuhay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criterion

...

Note: Architecture diagram is Istanbul release.Please update "This page reflects the state for Istanbul-R9 release" to reflect the current release.
Your Answer-Please DescribeSECCOM Feedback / Recommendations

Yes, CPS architecture documentation can be found @ https://docs.onap.org/projects/onap-cps/en/latest/architecture.html

 

*Page is being updated for the

next release to reflect that the architecture diagram reflects the latest release. (https://gerrit.onap.org/r/c/cps/+/133557)


Documentation Security

Does your project have a description of what a user of your project can and cannot expect in terms of security from the software produced by the project, (In other words, what are its 'security requirements'?)

...

Please add a
Your Answer-Please DescribeSECCOM Feedback / Recommendations

None availableConfiguration Persistence Service Project#CPSSECURITYREQUIREMENTS

CPS don’t have security requirements apart from the authentication on our rest API wherein username and passwords are configurable

CPS has no logging of sensitive information such as usernames and passwords in plain text. The log files are only accesible withing the  authorized users of the application deployment.

CPS is in the process (as part of ONAP service mesh implementation) of migrating to service mesh, currently CPS application is fully-compatible with all the requirements, to provide encryption in transit to avoid unauthorized accesses and data breaches.

CPS does not run docker containers or services as 'root'.


Please add a statement about this to the end of your security requirements section/document. At a minimum, it should indicate how you protect your username and password configurations. (See other questions on hashing of secrets and use of crypto.)

comment on

-logging requirements

-encryption in transit (service mesh compatibility)-not running containers as 'root'

Vulnerability Mitigation

Vulnerabilities Critical Fixed

...

Is the ODL Yang parser included in CPS or is it a separate "microservice"?

How does CPS differentiate between trusted and untrusted sources?
Your Answer-Please ExplainSECCOM Feedback / Recommendations

Our application expects (any) client to upload models and data to be stored.

These models and data are validated via the 3rd party tool - OpenDayLight Yang parser which is part of CPS and not a separate microservice. These are only stored once the parser accepts that it is valid and returns an exception for invalid models and data.

Additionally, inputs to all REST endpoints are validated, e.g. CM handle IDs, CPS paths, timestamps





Hardening

Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

CPS does not have a UI and does not use javascript

The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation.

Usernames and passwords are configured in .yml file of CPS for clients to configure.

When CPS is run with docker, the services use username usernames and passwords that are stored as environment variables.

Testing: credentials are hardcoded

Deployment: While for testing purposes, all credentials are hard-coded, for deployments, CPS uses K8s secrets that is which are generated and stored as CPS the application is deployed.

How are usernames and passwords stored?

Are passwords stored hashed where CPS acts as an authenticator?


...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

N/A

Usernames and passwords are configured in .yml file of CPS for clients to configure.

When CPS is run with docker, the services use username and passwords that are stored as environment variables.

Testing: credentials are hardcoded

Deployment: For deployments, CPS uses K8s secrets that is which are generated and stored as CPS the application is deployedCPS relies on the java.UUID mechanism **

[TH] how about storage of passwords?

Crypto Working

Does your software depend on any cryptographic algorithms that are known to be broken?

...

No
Your Answer-Please ExplainSECCOM Feedback / Recommendations

Usernames and passwords are configured in .yml file of CPS for clients to configure.

When CPS is run with docker, the services use username and passwords that are stored as environment variables.

Testing: credentials are hardcoded

Deployment: For deployments, CPS uses K8s secrets that is which are generated and stored as CPS the application is deployedCPS relies on the java.UUID mechanism **

[TH] how about storage of usernames & passwords?

Crypto Keylength

Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?

...

how about storage of passwords?
Your Answers-Please ExplainSECCOM Feedback / Recommendations

Deployment: For deployments, CPS uses K8s secrets that is are generated and stored as CPS is deployed **.

CPS relies on the java.UUID mechanism for generating unique identifiers

.


Crypto Certificate Verification

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS is compliant and compatible with the ongoing service mesh implementation (see https://gerrit.onap.org/r/c/oom/+/124287) for ONAP. 

CPS service port names has been changed to include http in name.


Crypto Credential Agility

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

Usernames and passwords are configured in .yml file of CPS for clients to configure.

When CPS is run with docker, the services use username and passwords that are stored as environment variables.

Deployment: For deployments, CPS uses K8s secrets that is which are generated and stored as CPS the application is deployed **

[TH] how about storage of usernames and passwords for REST access?

.


Crypto TLS1.2

Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS is compliant and compatible with the ongoing service mesh implementation (see https://gerrit.onap.org/r/c/oom/+/124287) for ONAP. 

CPS service port names has been changed to include http in name.


Crypto Used Network

Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS only communicates with components within ONAP.

CPS's primary communication is through HTTP.

CPS uses KAFKA, and as a listener, in KAFKA we use PLAINTEXT communication, which is also KAFKA's default for communication, at a later stage the Kafka provider ( eg. Apache, Confluent, or Strimizi Kafka [which is planned to be used] ) can enable the security by default i.e the default way of communication.

**CPS components are deployed within a pod, all communications in PLAINTEXT are within the pod. Any communication outside the pods is managed via the service mesh.



Crypto Verification Private

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

CPS is compliant and compatible with the ongoing service mesh implementation (see https://gerrit.onap.org/r/c/oom/+/124287) for ONAP. 

CPS service port names has been changed to include http in name.