Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Slides prepared and reviewed by Amy:

Common logs management turned into PoC.

Jira No
SummaryDescriptionStatusSolutionHonolulu SECCOM requirements

ongoingTo be presented at the LFN event within Requirements Subcommitee review.Instambul SECCOM requirements
  • Packages upgrades
  • CII Badging - crypto verification private and implement secure design
  • PoC Security documentation and assurance cases:with DCAE and CPS
  • Integrate SonarCloud crypto findings as an integration test
  • Integrate SonarCloud coverage results as integration test: block on decreases in code coverage, provide exception process
  • PoC Service Mesh
ongoingSlide to be updated and shared with Alla.Service Mesh PoC status updateNew release of Kubernetes to be integrated. Some issue with Envoy.

Sonarcloud crypto takeaways

Weak crypto report from Sonarcloud. Jiras to be opened. How to get a report with API to be figured out. 5 cathegories of findings: certificate validation, host name of certificate, using secure mode and padding, using weak protocols, encoding passwords as plain text.  

Logs management – what to do next?

We come back to this topic during next meeting (in February 9th)LFN event

2 presentations provided:

  • packages upgrades (Amy, Vijay and  Pawel)
  • CII Badging (Tony)

Feedback from Kenny on maintaining historical data on CII Badging answers - done by Tony.

done

Slides on SECCOM requirements to be presented at the next Requirements Subcommittee meeting on Monday February 15th. 

POM file version to be provided to PTLs.

Exception process with deadline before RC0.


ONAP Log security management

Fabian shared his presentation:

View file
nameONAP Logs Security Managment1.pptx
height150

2 types of basic image hardening. It was done by Morgan (for both java and python).

PoCs with SPC (brand news project) and Policy (project which already took efforts to integrate with logging and uses stdout aready!) proposed to move forward.

ongoing

Next steps 

Deploy logging architecture

Analyze events linked to threats




Morgan to be consulted with standard images.

To be confirmed if Policy uses a standard image - not yet but planned to use in Honolulu release.


Anuket - new project

Update from Samuli:

Anuket and XGVela: define common PaaS services. Anuket: the basic PaaS services, XGVela the telco specific.
Presentation on Feb 3rd : “Beyond IaaS/CaaS for Cloud Infrastructure in RM”; Walter Kozlowski, Petar Torre, Pankaj Goyal, ..  Slides: https://wiki.lfnetworking.org/download/attachments/50528563/Platform_Services_Beyond_IaaS_CaaS.pdf?version=2&modificationDate=1612116560000&api=v2 .
Minutes, & assume also link to recording will be here: https://wiki.lfnetworking.org/x/MwEDAw 
Summary:
Anuket (merge of CNTT and OPNFV) aims to define common PaaS services for telco CNF platforms!
There was discussion of what services could those be (see a draft/example list on slide 6).
There was also discussion on how deep Anuket can/shall go, see slide 9. Eg: specify only the service type, or the concrete CNCF service like Prometheus, also the version, also the usage ie ‘common data model’ like written on slide 9.
Motivation: to avoid operators to have a lot of integration work of CNFs. Eg: CNFs are using various logging.




OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 16th OF FEBRUARY'21. 




...

View file
name2021-02-09_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-02-09 ONAP Security Meeting - AgendaAndMinutes.pptx
height150