...
| Jira No | Summary | Description | Status | Solution | Additional resources from E/// | Last week E/// decided to put 2 additional resources to OOM to finish service based duty - service mesh security. Inputs will be expected from SECCOM, Aschitecture and OOM +Maggie, Michael and NSA. More details to come. | ongoing | Meeting US GOV OPS 5G Weekly Sync – Amy made SECCOM presentation | -Interest in service mesh architecture, open standards security models -Does SonarCloud find hardcoded passwords? | ongoing | Several issues discovered dues to SO development. Ongoing exchanges between Orange developer and SO PTL in the context of performance issue. | ongoing |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
2021 LFN Developer & Testing Forum June 2021-06-07 - 2021-06-10 | Register to LFN Developer & Testing Forum June Proposals: 2021 LFN Developer & Testing Forum June SECCOM proposal: ONAP: SECCOM activities for Istanbul release | ongoing | ||||||||||
| SonarCloud questions review | Permission problems - Jess to rely on community - e-mail was sent to Jess, waiting for her feedback. | ongoing | Jess to contact with Alex. | |||||||||
| ONAP CII discussion – last PTL meeting | There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days. Questions to be considered by ONAP community as special focus in Instanbul release presented at the last PTLs meeting:
| SonarCloud questions review | Permission problems - Jess to rely on community. API documentation link - impossible to build up API call Tony needed, but Tony used sniffing and succeeded in building API that he needed. | ongoing | E-mail to Jessica was written. | Logging anagement follow-up | Fabian needs to have internal F2F meeting by the end of the month. Log management via stdout, normal log for exploitation (format and information inside) and finally security logs (important for SECCOM). Logs need to be kept simple.Bobs feedback on logging requirements and container matrix. Feedback to be provided in couple of weeks by Bob. | ongoingService Based Mesh security archietcture to be shared via SECCOM distribution listby end of Monday. | ||||
| NEXUS-IQ – SCA analysis outputs | Analysis almost completed and tickets are created. For Swagger related update we have no newer recommended version. | ongoing | Logging as part of DCAE | Logging could be just another source of information for DCAE? DCAE is analytic data. DCAE is not a common ONAP component. OOM consider slogging as a common component.done | Jira tickets (tasks) were created per project for Instanbul release. Ongoing work on some projects. PTLs were remainded yesterday to start working on packages upgrades. | ongoing | ||||||
| Direct vs. indirect dependencies with container scans | Open Amy opened a ticket at Sonatype (IT-22048) for direct vs. indirect dependencies with container scans. | ongoing | ||||||||||
| Logging management follow-up | A slide deck draft "ONAP Next Generation Architecture & Logging Architecture, Design and Roadmap" was presented (link below) by Byung-Woo Jun from Architecture Subcommittee. Work with OOM team (Sylvain and Krzysztof). ElasticSearch - licensing problems? Limitations in Keycloak - 200 tenants. | ongoing | ||||||||||
| Logging requirements analyssi update by Bob | Bob's Intro NSA - Jess intro Looing at the logging requirements. https://attack.mitre.org/ → enterprise metrix, container metrix. and telecom matrix: https://web.tresorit.com/l/lN841#uqbRHdXCFzVVX8obs1OEUw&viewer=1yoh8gKZ0tA9WqU9asFUHKl2Jp024UTo | ongoing | ||||||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 25th OF MAY'21. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|
- a slide deck draft "ONAP Next Generation Architecture & Logging Architecture, Design and Roadmap", ONAP-Next-Generation-Security-Logging-2021-5-18-v1.pptx
- This slide deck will be presented at the LFN DDF June Event.
- Byung and others plan to refine it. Please provide your comment and share insight.