Versions Compared

Old Version 1

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 14th of September 2021.

Jira No
SummaryDescriptionStatusSolution

REQ-801

REQ-800

REQ-863

REQ-443

M4 update

Java

upgrades - good progress.

Python upgrades good progress as well.

Packages upgrades - very good progress - 16 tickets closed already - vulnerabilities removed: 679/776 (based on tickets). Still some pprojects that did some upgrades but no update on the restricted Wiki.

New Sonatype function to filter direct vs. transitive dependencies.

Weak cryptography and injection items - excellent progress. There are still few there open (projects no longer maintained - e.g. Portal).  

For Jakarta, few other items that SonarCloud highlights - Jira tickets to be written for those (blocking and critical). 

ongoing

To be checked if we have waivers for all remaining ticktets.

PTLs meeting shall address the gaps on the restricted Wiki.

Projects with open status on their Jira tickets to be elaborated.

Will Portal be excluded from ONAP future releases? - Byung to investigate.

Software BOMs

Documentation review - nexus account  manager contacted. It is part of Nexus product lifecycle licence (cyclone DX format). APIs for info extraction to be checked.

Access to Nexus-IQ server - what group shall be used for that - REST API calls are possible now - will be used for SW BOMs.

ongoingLogging requirements

Almost 50% of the metadata fields defined - good progress.

In some of the GitHub repos md (markdown) files with good description for logging - SO is a good example. 

and Python - waivers issued after PTL's meeting. Merges issued by SECCOM.

Strong improvement from Honolulu release.

To create best practice for standard integration images, so we could get rid of old Python and Java.

Security scans 100% → 57% - to be further investigated.

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-09/14_13-40/

The gaps on the restricted Wiki shall be covered by respective PTLs.

ongoing

Plan for Jakarta for progress to be requested from waivers.

Amy will create slides for that in the next 2 weeks.

To check with Morgn the current security scans and potential actions to improve.



Software BOMs

Nexus-IQ server was upgraded to the latest version - now has some capability to extract Software BOMs but some information is still missing.

ongoingMuddasar to research on how the missing information can be collected (plugin to be used?).

Logging requirements

Final set of metadata fields, which ones would be provided by logging service and which by developers. PTLs invited for Friday’s meetings.

Welcome Sean who is helping in prototyping for SW BOMs.

ongoing

Dependency confusion attacks vs. ONAP SW build process
Bob had exchanges with Jess on filtering rules and dependencies management software
We put this item into backlog - we have no resources to lead it.on hold
To be further elaborated with Samuli.Feature request templateAlla


Security Risk Assessment and Acceptance 

Guide for threat modeling for developers:

https://martinfowler.com/articles/agile-threat-modelling.html

Excel table that was initially prepared 3 years ago to be shared and reviewed at the next SECCOM, frameworks to be reviewed as well (MIST and ISO).ongoingMuddasar to be introduced to Alla by Pawel

We would like to get some help from the guys who are doing the actual development.

Excel file shared with Brian, Amy shared also framework info on two references for threat modeling.

1.ISO 27005 : https://www.iso.org/standard/75281.html

2.NIST Special Publication 800-154 2 Guide to Data-Centric System Threat Modeling

https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf

ongoingDo we have a data map to show elements moving through the system?

Last PTLs meeting

Good progress on fulfilling global requirements from SECCOM.

Fabian presented the status of code quality

  • we need to create a page in confluence to describe the way to improve quality (page directly under SECCOM)
  • we need to open an another ticket of services hosting
  • jiras for python and java were updated
ongoing

Pawel to create the page. ONAP code quality improvement

Fabian to create a Jira ticket to LFN IT:

https://jira.linuxfoundation.org/plugins/servlet/theme/portals


Feature intake template

Muddasar was introduced to Alla who is leading ONAP Requirements Subcommittee to be contacted to provide details.

ongoing

We need to have a standard template for the feature to be accepted (visibility, security and usability sections should be there).

ongoing

To create a Jira ticket template.

To be checked if the feature specific information is further tracked.


Last TSC meeting
  • TSC
Voted to approve M3, 90% issues closed due to good progres
  • 16th of September for M4 gating
  • Jakarta release and timeline discussed
  • Michal Jagiello – new PTL for integration
    • ongoingCode quality updateStatus to be checked, there were some exchanges with Thierry and Jess.ongoingSlide to be presented to next PTLs meeting.Last PTLs meeting

    Meeting was cancelled (Labor day in US)

    ongoingslot to be booked for the next PTLs meeting.
    • elections, nominations close on September 21st
    • Nominations for Honolulu awards extended to September 17th
    • Spark in New Zeland going with ONAP in the production
    		ongoing

    		Jakarta SECCOM requirements

    Apart from current global requirements we might want to follow any other requirements:

    • Security logging as best practice for Jakarta, it is not exactly REQ-441
    		started

    New requirement to be created for security logging but PoC with CPS or best practice for Jakarta.

    This item to be discussed with Byung on Friday's meeting. 



    		How info.yaml is generated? ongoingThis item to be discussed with PTLs on Friday's meeting. 

    		CADI and AAF replacementDCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee.ongoingByung  to present update for the next SECCOM


    		OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 21st OF SEPTEMBER'21. 

    M3 update - waivers review

    Software BOMs

    Logging requirements update

    Security Risk Assessment and Acceptance – review frameworks and old excel file

    Dependency confusion attacks vs. ONAP SW build process - synch with Samuli

    Code quality update

    CADI and AAF replacement





    Recording: 

    View file
    name2021-09-14_SECCOM_week.mp4
    height150

    SECCOM presentation:

    View file
    name2021-09-14 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150