Versions Compared

Version Old Version 3 New Version Current
Changes made by

Paweł Pawlak

Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To be decided at the next SECCOM.

Scope of the PoC to be proposed.

Muddasar to be added to e-mail exchange with Bob and Jess.

Jira No
SummaryDescriptionStatusSolution

Last TSC meeting
  • Fabian presented Code quality and SonarCloud – achievements deck
  • Seshu volounteered SO for PoC in Jakarta
  • Conversation on code coverage that applies only to new code
ongoingWork with Seshu and Jess on PoC prepration.

Last PTLs meeting

not Finally executed, but SECCOM message remains:-

-
  • Thank you all the project taking part of recommended packages upgrades.
-
  • All other projects not compliant with this requirement will have issues with SECCOM acceptance to be part of the Istanbul release.
ongoingto close tickets for projects not participating in Istanbul release - done.

Software BOMs, Hardware BOMs - Muddasar

Options to be discussed next week i.e. the format to use (3 formats discussed last time), authorship (with company affiliation for accountability).  

First software side to be moved forward and then to be followed by hardware BOM.

PoC proposal by Fabian - select some software module and define what is the atomic level, create BOM. Individual code contribution should be tracked back to individual name.

ongoing

Security Event Generation Requirements review (Byung/Chaker/Fabian/Amy):

ONAP Security Event Management - DRAFT

Major focus on generation and collection.

VES events are generated by service containers. We are focussed on platform containers logs generation.

Apache2 Web server has well defined message logging formats based on set of attributes.

Retention period is very operator specific.

Let's write logs to stdout and stderr.

ongoingLog file metadata part of the component to be elaborated.

We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session.  

Can SBOM be created directly from NEXUS?

Hardware BOM is slightly different from process perspective.

ongoing

Workflow for the pilot to be prepared by Muddasar.

Exchanges with Jess to be progressed - detailed request to be sent by Muddasar.


Seccom criteria for the integration tests to pass a release

Just a reminder of the current status:

  • Current level of 40%
  • Achieve 100% level with TERN treated as informative
  • Follow exception process if relevant
ongoing

Security Risk Assessment and Acceptance – revisit Brian’s statement

To be discussed next week.


CII Badging update - Tony

To be discussed next week

Progress in the applications.

One Jira ticket for weak cryptography issue, 3 in open state for AAF, VID and VNFSDK - but projects not participating in the release - their jiras should be closed.

Intern did a lot of analysis on the questions that have common answers and helping to work through various issues with those and provoded a final report. It should improve the scores for various projects.

ongoing

Tony to write 3 Jira tickets for projects to get them added.

Tony to close tickets for projects not participating in Istanbul release (i.e. VID).

Results to be sent to David McBride.


Dependency confusion attacks vs. ONAP SW build process

To be discussed next week.No updates on the Wiki...

Bob will work this week and trying to check filtering rules with Jess for this type of threat. 

ongoing

Wiki page to be check by Samuli.

Code quality and SonarCloud – achievements deck prepared by Fabian to be presented to TSC on August 12th.

Slot is booked and slides uploaded. Fabian is ready to present the deck to TSC.ongoing

SECCOM-269 is the epic for tracking security integration tests. It is blocked by the following project jiras.

ongoingSome more waivers might be submitted

Bob to contact Jess.


Logging requirement - update from Friday's meeting

Anything that is not a container is exluded. Container run time level will be part of best practices aspect.

Review of the table what to include in the application logging and what to include in the container deamon logging.

Log format was discussed.

Decision taken on trying to put current 13-14 requirements in the template format, to make it easy for users and projects to adapt to it.

Container scope was discussed - K8s part of the container and container only Docker.

ongoing

Long format to be on next Friday's meeting.





OOM feedback to be collected on K8s and Docker coexistance.. Byung to send an e-mail to Krzysztof and Sylvain.


Logs consumption

Context delivery for the logs by tagging. Currently we are focusing on logs generation and collection but later will will have to cover processing. APIs availability to bring the data back in to make an action.

Lot o data collected in DCAE, decision can be taken outside of ONAP system.

ongoing



Maggie could provide some inputs.


LFN Security Group – focus, outcomes, contributions

Kick-off meeting scheduled on 18th of August.

  • ONAP story and security requirements for normalization
  • HTTPs enablement on interfaces (service to service) but sidecar to service container is http based. (reference: ONAP Next Generation Security & Logging Architecture)
  • Encrypted protocols
  • Events logged by ONAP itself, so security health of ONAP could be monitored by operator
ongoingDefault setting for software configuration to be reviewed i.e. TCP window x, autonegotiate network parameters by default.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th 24th OF AUGUST'21. 

Software BOMs

Logging requirements

Security Risk Assessment and Acceptance – revisit Brian’s statement

Dependency confusion attacks vs. ONAP SW build process



...