"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criteria [security-review G]
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes. Majority of DCAE committers and PTL are generally familiar with secure software development practice and experienced in vulnerability resolution. The CLM scan reports and OJSI tickets are periodically assessed by the same PTL/committers. (Based on managerial assessment of the committers' knowledge.) | <Muddasar>Are there any efforts/means within DCAE team to ensure all contributors and committers are familiar with Sec-SDLC practices? CLMCLM Scans and OJSI tickets are scanned, what is the efficacy of such reviews? Is it reducing downstream discoveries of issues? |
Implement Secure Design
Do the committers and PTL apply secure design principles when reviewing software for merging?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes, DCAE PTL/committers do review for security design principles adherence before merging code. (There is a checklist that committers should be following that includes looking at secure design issues.) | <Muddasar>. Is this done based on memory or based on a checklist/helper app? |
...
If so, please provide a URL to the pages on wiki.onap.org or onap.readthedocs.io or docs.onap.org that have the architecture or high level design. If not, please describe the high level design here using one or more paragraphs.
...
If so, please provide a URL to the page(s) on wiki.onap.org or onap.readthedocs.io. If not, please describe the security requirements here using one or more paragraphs.
...
| Cloak |
|---|
These are the security requirements that the software is intended to meet. There needs to be:
TBA: verbiage about "design doc should include how component intends to implement the high level onap security reqts found here [documentation_security S] |
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
| Yes. Documented under this wiki DCAE Security Design & Assurance | <Muddasar>. description is clear on the link provided. It is a good effort. Wondering if this information is added to DCAE user documentation. Also, CONSUL app protection and data protections should be considered some where, it is not in scope for DCAE, is it inscape somewhere else? |
...
If so, please provide a URL to the page(s) on wiki.onap.org or onap.readthedocs.io that describe how the project meets its security goals. If not, please describe here (using one or more paragraphs) how the project meets its security goals.
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
| Yes. Documented under this wiki DCAE Security Design & Assurance | <Muddasar> wiki does not constitute documented security requirements. it merely tells what DCAE team usually do. This area can be improved to describe Security requirements and aligned with how these are met. Amy Zwarico SECCOM developed security requirements years ago. |
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Majority of DCAE services are complaint. There are no C/C++ code in DCAE repositories hence compiler flags related questions do not apply. DL-Admin has a web (user) interface which is not complaint with all hardening requirements listed; it also stores external DB credentials (TBD if data is encrypted/hashed when persisted in DB). | <Muddasar> How should we measure security vulnerability stemming from unharden code? vulnerabilities discovered after integration stage, release stage may be? |
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Yes, most DCAE components (collectors) support secure external interfaces with exception of SNMPTrap which is based on UDP protocol. FTP (DFC), HTTP (VES) are supported options but disabled by default. | <Muddasar> . SNMP ver? |
Crypto Verification Private
...