Versions Compared

Version Old Version 1 New Version Current
Changes made by

Paweł Pawlak

Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 27th of July 2021.

Jira No
SummaryDescriptionStatusSolution

Feedback on Byung's AAF Service Mesh proposal - Al Laing

NSA is looking for a risk based authorization - we are not there yet in ONAP, we focus on RBAC first. In case of close loop automation the role of risk based authorization policy development mechanizm that does the pre analysis what is the risk for individual, other part is enforcement. In SBA (Service Based Architechture) in service emesh we have policy enforcement. Use cases: slice management and 5G superblueprint.

We have an agreement on a new service mesh based architecture. 

ongoingWe keep it as idea backlog for the next few months.

Software BOMs, Hardware BOMs - Muddasar

HW BOMs: at a station status inventory. Requirements for the deployment to be defined (PNF or VNF, is the HW supported at the station).

ongoingMuddasar to prepare a draft proposal within next 1 or 2 weeks.

Next steps for Infrastructure Logging Requirements – Bob, Separate calls (Amy) to work through the logging requirements for ONAP components

Wholistic view on security logging lifecycle. First meeting held last week to discuss logging requirements. The security events have to be logged but there are other types of events that have to be managed. Notes are collected here: ONAP Security Event Management - DRAFT.

We know where the logs can be generated. The key point is to define where the logs should be put togther and their format. What are the use cases in ONAP for data consumption.

Difference between orchestration logging and xNF logging. 

ongoingTo be further discussed at the Architecture Subcommittee.Update from LFN

Tickets statuses to be checked, probably no update.

IT-22333 by Pawel

IT-22334 by Thierry

Info from Jess: 

Working on IT-22334 first. It might seem that modifications to the current Jenkins template might be all we need for this solution, but I want to leave this open in case is not

ongoingJessica was asked for a status update.

Seccom criteria for the integration tests to pass a release – Eric

Seccom criteria for the integration tests to pass a release

  • Add Python and Java version checks
  • Achieve 100% level
  • Follow exception process if relevant
ongoingTo be presented at the TSC meeting

Last PTLs meetingFor
  •  For the security testing we score at 40% as of today
:

nonssl_endpoints (NOK)

unlimitted_pods (NOK)
root_pods (NOK)
jdpw_ports (OK)
kube_hunter (OK) - > to be moved to infrastructure

We need to define which % of security tests is ok to release.

False positives are defined in the script. List must be enriched with Java and Python versions checks.

We should have 100% objective result. How to deal with unmaintained.

Project would provide exception proposal that would be further validated.

Case of ESR type component should be decided by next release at the very latest.

ongoingTo be finally agreed at the next SECCOM on target % value per release.

CII Badging update - Tony

Few (3 or 4) projects should add ONAP wording in their description as they do not show up in CII Badging dasboard.ongoingSlot to be booked at the next PTLs meeting
  • - our target is to add java and python version testing ar reach 100% to release.
  • Please update statuses of your Jira tickets for SECCOM Global Requirements
ongoingWaiting for a list of project not participating in Istanbul release. 

ESR Waiver

Currently 3 use cases are using ESR:

  • ETSI alignement (AAI external system directory API)
  • Network slicing (ESR server) but can use AAI external system directory API
  • CCVPN case (using ESR GUI server) , they can use AAI sending notification oto DMaaP and SDNC and VFC can pick-up

SO currently ESR in maintenance mode but can be obsolete. If nobody is using ESR, let's remove it from the Istanbul release.

ongoingCCVPN to be check by Byung if they will use AAI. 

Software BOMs, Hardware BOMs - Muddasar

Presentation:

View file
nameSBOM_DBOM.pptx
height150

ongoing

Dependency confusion attacks vs. ONAP SW build processPackages are downloaded from Internet for ONAP. To be further elaborated with Bob and Samuli.ongoingE-mail to be sent to SECCOM distribution list/ONAP distribute.

Update from LFN 

(IT-22333by Pawel, and IT-22334by Thierry)

  • Waiting for Thierry’s return
ongoing

Code quality and SonarCloud

Achievements to be presented to TSC

ongoingPawel to work with Fabian to present progress and achievements to TSC in this domain.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 26th 3rd OF JULYAUGUST'21. SBOM/HBOM continuation.

Recording:

View file
name2021-07-27_SECCOM_week.mp4
height150

SECCOM presentation:

View file
name2021-07-27 ONAP Security Meeting - AgendaAndMinutes.pptx
height150