Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Next meeting on May 6th, deck prepred and presented by Amy:

Jira No
SummaryDescriptionStatusSolutionNSA proposal follow-up

Meeting on May 3rd:

  • meeting was very informative, grow ONAP platform in analytics and reacting to events
  • one of first steps joining this session: logging reqs, AA in Kubernetes,
  • NSA requirements are needed for an area needed to be enhanced
ongoing

Next meetings will be organized ad hoc.  SECCOM weekly meetings will be regularly used.

Amy will facilitate exchanges with Maggie and NSA team.


Additional 2 resources from Orange to improve ONAP securityProgress with SO – Fabian, first Focus on performance application issue.ongoingONAP security with the OPS 5G projectongoing

To be presented on May 6th

2021-05-06_ONAPSECCOMOverview_v1.pptx

ONAP CII discussionRequirement: There Additional resources from E///

Last week E/// decided to put 2 additional resources to OOM to finish service based duty - service mesh security.  Inputs will be expected from SECCOM, Aschitecture and OOM +Maggie, Michael and NSA.

More details to come.

ongoing

Meeting US GOV OPS 5G Weekly Sync – Amy made SECCOM presentation

-Interest in service mesh architecture, open standards security models

-Does SonarCloud find hardcoded passwords?

ongoing


Several issues discovered dues to SO development. Ongoing exchanges between Orange developer and SO PTL in the context of performance issue. ongoing

ONAP CII discussion – last PTL meeting

There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

ongoingSlot to be booked at the next PTLs meeting to present this issue.

SonarCloud  answers for our questions

Please refer to slides 4-7. ongoingWe will discuss answers next week

Questions to be considered by ONAP community as special focus in Instanbul release:

  • application weak cryptography,
  • server side request forgery,
  • XML external entity,
  • cross site scripting



SonarCloud questions review

Permission problems - Jess to rely on community.

API documentation link - impossible to build up API call Tony needed, but Tony used sniffing and succeeded in building API that he needed.

ongoingE-mail to Jessica was written.

Logging anagement follow-up

Fabian prepared slides with logging architecture.

Some requiremets for logging are in scope of security and some are more general (and outside of security domain).

Bob did the summary of logging specs andshared with SECOM via distribution list.

ongoing

We can start with the simple requirment.

Slide draft shall be presented at the SECCOM and then presented to Architecture Subcommittee - Amy will share the logging requirmeents slide deck.

2021-02-22_LoggingRequirementEvents_v9.pptx

Continuation of discussion on Fabian’s comment on logging management

Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID

ongoing

Fabian to present most recent logging management archiecture to Archiecture Subcommittee.

Bob to elaborate the link provided.

needs to have internal F2F meeting by the end of the month. Log management via stdout, normal log for exploitation (format and information inside) and finally security logs (important for SECCOM).

Logs need to be kept simple.

Bobs feedback on logging requirements and container matrix. Feedback to be provided in couple of weeks by Bob. 

ongoing

Service Based Mesh security archietcture to be shared via SECCOM distribution listby end of Monday.


NEXUS-IQ – SCA analysis outputsAnalysis almost done:
  • List of recommended packages version
  • Some packages are still scanned althought planned to be unmaintained (example: policy-engine)
  • PTLs were contacted for failing Jenkins jobscompleted and tickets are created. For Swagger related update we have no newer recommended version.
    ongoing

    Logging as part of DCAELogging could be just another source of information for DCAE? DCAE is analytic data. DCAE is not a common ONAP component. OOM consider slogging as a common component.

    ongoing



    Direct vs. indirect dependencies with container scansOpen a ticket at Sonatype (IT-22048) for direct vs. indirect dependencies with container scans.ongoing


    OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18th OF MAY'21. 





    ...

    View file
    name2021-05-11_SECCOM_week.mp4
    height150



    SECCOM presentation:

    View file
    name2021-05-11 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150