Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Follow up by Amy – container logging requirements review:

Jira No
SummaryDescriptionStatusSolution

Last TSC update

CNF Task Force meeting moved to 31st of March, US governement support may help increasing open source „apps 5G”. 

https://zoom.us/j/219945081?pwd=ZEN3U3daem9oMGJuZ3BXZExCdldkUT09

ogoingSECCOM representatives will join this session with US military on open source secure software development for 5G.

Last TSC meeting
  • RC0 merged with RC1 on March 25th
  • Hardcoded certificate in AAI just expired, HELM limitations
  • Istanbul release – kick-off date (M0) April 1st. Full planning redefinition to be determined
  • Our proposal to replace maintained by unmaintained was approved by TSC
  • Chaker integrated security programming best practices
  • We are to book a slot at on e of next TSCs (25th of March) to present our proposal for moving TSC best practices to global requirements by M1 for:
    • CII Badging
    • Upgrading packages
    • Internship – we have to act fast…but we need time to be an active mentorSlide deck for new Global Requirements

    View file
    name2021-04-01_IstanbulSECCOMGlobalReqtsProposal_v4.pptx
    height150

    For CII Badging ongoing conversation for mainained/unmaintained projects at passing level.

    Infrastructure related question (hardening of the site) for gold level - all our projects set unmet - LF would have to handle.

    Private vulnerability reports.

    Cultural change - possibility to add new people to project.

    Statement coverage at 90% and test branch coverage at 80%.

    Couple of questions that are project level that should be met - example 2 people's review.

    We are actively involved with David Wheeler to simplify CII badging answers by automation.

    		ongoing

    To be presented at the incoming TSC meeting - slot in the agenda to be booked..

    LoE = Level of Effort for packages upgrades to be collected from projects which succeeded in their efforts.





    Tony to be added to private vulnerability reports.

    To further discuss within SECCOM Tony's findings.


    		Training for SonarCloud

    Scoping meeting on Thursday at 5:30 CEST.

    		ongoing

    		Last PTL meeting

    Discussion on change coming from project after the deadline on RC0/RC1 milestone.




    		Last TSC meeting

    Presentation about ONAP & O-RAN, usage of MVP of ONAP.

    		ongoing

    Slot to be booked for the next TSC meeting for moving best practices to global requirements

    		How to create secure applications

    https://wiki.onap.org/display/DW/Secure+Programming+Practices

    Already linked by Chaker, presented to TSC and presented to PTLs.

    		ongoing

    PTLs will provide their feedback by March 29th

    		SonarCloud findings to fix in Istanbul release
    • Focus on fixing crypto vulnerabilities
    • How to tag unmaintained projects
    • Automation introduction for projects not fixing the vulnerability within 60 days
    		ongoingTony to contact David Wheeler to check if automation could be introduced

    NEXUS-IQ container scanning 

    		New feature under checking with LFN, but no update from JessongoingAmy to contact Jess for an update

    Logs management


    		ongoingRequirements to be reviewed next week at the SECCOM meeting.Certificates issues (expiring)Raised by Turkish company (Urlak?) that works with ONAP for 3 years already in 5G context.ongoingOOM team to be contacted - they meet on Wednesdays.

    		Logging management follow-up

    To be checked the status whther Stdout usage for logging was voted as Best Practice.

    Fabian created 3 tickets to SDC. FluentD to be used to export logs.

    		ongoingTo be check the status with David McBride.

    		Voting process for LFN Board candidates

    PLease use your voting rights to support our Colleagues - e-mail from Casey:

    Amy, Krzysztof and Martial.

    		ongoing

    		Comments for logsIn 2 weeks to review Fabian's comments.ongoing

    		Automating in CII BadgingContributions are welcome - please contact Tony. Python skills would be needed or any equivalent.ongoing


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 6th OF APRIL'21. 





    ...

    View file
    name2021-03-30_SECCOM_week.mp4
    height150


    SECCOM presentation:

    View file
    name2021-03-30 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150