...
Jira No | Summary | Description | Status | Solution | NSA proposal follow-up | Meeting on May 3rd:
| ongoing | Next meetings will be organized ad hoc. SECCOM weekly meetings will be regularly used. Amy will facilitate exchanges with Maggie and NSA team. | |||
---|---|---|---|---|---|---|---|---|---|---|---|
Additional 2 resources from Orange to improve ONAP security | Progress with SO – Fabian, first Focus on performance application issue. | ongoing | ONAP security with the OPS 5G project | ongoing | To be presented on May 6th | ONAP CII discussion | Requirement: There Additional resources from E/// | Last week E/// decided to put 2 additional resources to OOM to finish service based duty - service mesh security. Inputs will be expected from SECCOM, Aschitecture and OOM +Maggie, Michael and NSA. More details to come. | ongoing | ||
Meeting US GOV OPS 5G Weekly Sync – Amy made SECCOM presentation | -Interest in service mesh architecture, open standards security models -Does SonarCloud find hardcoded passwords? | ongoing | |||||||||
Several issues discovered dues to SO development. Ongoing exchanges between Orange developer and SO PTL in the context of performance issue. | ongoing | ||||||||||
ONAP CII discussion – last PTL meeting | There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days. | ongoing | Slot to be booked at the next PTLs meeting to present this issue. | SonarCloud answers for our questions | Please refer to slides 4-7. | ongoing | We will discuss answers next week Questions to be considered by ONAP community as special focus in Instanbul release:
| ||||
SonarCloud questions review | Permission problems - Jess to rely on community. API documentation link - impossible to build up API call Tony needed, but Tony used sniffing and succeeded in building API that he needed. | ongoing | E-mail to Jessica was written. | ||||||||
Logging anagement follow-up | Fabian prepared slides with logging architecture. Some requiremets for logging are in scope of security and some are more general (and outside of security domain). Bob did the summary of logging specs andshared with SECOM via distribution list. | ongoing | We can start with the simple requirment. Slide draft shall be presented at the SECCOM and then presented to Architecture Subcommittee - Amy will share the logging requirmeents slide deck. | Continuation of discussion on Fabian’s comment on logging management | Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID | ongoing | Fabian to present most recent logging management archiecture to Archiecture Subcommittee. Bob to elaborate the link provided. | needs to have internal F2F meeting by the end of the month. Log management via stdout, normal log for exploitation (format and information inside) and finally security logs (important for SECCOM). Logs need to be kept simple. Bobs feedback on logging requirements and container matrix. Feedback to be provided in couple of weeks by Bob. | ongoing | Service Based Mesh security archietcture to be shared via SECCOM distribution listby end of Monday. | |
NEXUS-IQ – SCA analysis outputs | Analysis almost done: | ongoing | |||||||||
Logging as part of DCAE | Logging could be just another source of information for DCAE? DCAE is analytic data. DCAE is not a common ONAP component. OOM consider slogging as a common component. | ongoing | |||||||||
Direct vs. indirect dependencies with container scans | Open a ticket at Sonatype (IT-22048) for direct vs. indirect dependencies with container scans. | ongoing | |||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18th OF MAY'21. |
...
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|