Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Child pages (Children Display)

1. Introduction

The ONAP Security Best Practices is a list of Best Practices recommended by the ONAP sub-committee.  These best practices have the following states:

...

•Basic introduction can be found here: https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md
•Silver/Gold criteria can be found here: https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/other.md


As additional information, the The CLAMP project has been wrote about their early experiences applying the CII badging program procedures.  Their experience is , captured here: https://wikilf-onap.onapatlassian.orgnet/wiki/display/DW/ONAP+security+Recomendation+Development?src=contextnavpagetreemode 

ProjectProgressProjectProgress
CLAMP

Image Added

DCAE

Image Added

Policy

Image Added

CCSDK

Image Added

AAF

Image Added

SDNC

Image Added







3. Credential Protection and Management

...

  • Meet with Coverity (schedule call, include Tony Hansen , someone from Linux Foundation) 
    • Will Scan integrate with Gerrit? (Coverity Scan tool indicates that it does integrate with Gerrit.)
    • Can it integrate with Jenkins (use resources from Linux Foundation to assist)?
    • How long does it take to run a scan and get results?
    • Lead time with Coverity to use Scan?
    • Mass registration of all ONAP subcomponents (approximately 30 projects, 210 subprojects)?
  • Identify an open source project actively using Coverity Scan to get their feedback on the integration of Scan with their code development lifecycle
  • Determine whether or not the restrictions on scan frequency will cause a problem for any of the ONAP projects
  • Identify an ONAP project willing to test Scan (possibly CLAMP since they are also going through CII badging)
  • Integrate Scan with ONAP code development (if Scan is determined to be a viable product)

5. Security of the xNF Package and the Artifacts

Status: Priority 1 approved by TSC

Priority 1: xNF Package Verification (Committed for Dublin as part of 5G use case)

Integrity of the xNF package needs to be verified prior to, or at the time of onboarding. The purpose is to ensure that the xNF package originates from the vendor, and that the content has not been tampered with. The verification is done against the signature provided by the vendor. Reference [ETSI NFV SOL004] contains the detailed specifications on VNF package. As of March 2019 this is being implemented for Dublin release in SDC and VNF SDK (VNF SDK includes partial implementation from Casablanca).

Priority 2: Integrity Verification at Instantiation (Release TBD)

Reference [ETSI NFV SEC021] is the main specification of this feature. As of March 2019 the status is 'final draft for approval', target date of publication is July 2019.
As of March 2019, ETSI NFV plans changes in [ETSI NFV SOL004] impacting this item: creation of signature per individual artifact in the VNF package (by the package vendor) is planned to be mandatory.

Priority 3: Service Provider Ability to Sign the Artifacts (Release TBD)

Reference [ETSI NFV SEC021] is the main specification of this feature. As of March 2019 the status is 'final draft for approval', target date of publication is July 2019.

References

[ETSI NFV SOL004]
ETSI GS NFV-SOL 004 V2.3.1 (2017-07)
http://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.03.01_60/gs_nfv-sol004v020301p.pdf

[ETSI NFV SEC021]
The latest draft can be found in: https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=53601