Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 5th of November 2019.

Jira No
SummaryDescriptionStatusSolution

OJSIs summary for El Alto release:

Krzysztof summarized projects and their attitude towards OJSIs security tickets handling:

Still 38 OJSI tickets related to HTTP open while we expose only ~20 HTTP ports. We can close almost half as soon as we get the commit hash-id

Worst performing projects
  • CLI
    • 4 OJSI tickets open
    • 1 ticket with CVE
    • No activity at all
  • Logging
    • 9 OJSI tickets open
    • 1 ticekt with CVE
    • Very limited activity
  • MSB
    • 11 OJSI tickets open
    • 1 ticekt with CVE
    • No activity at all
Could be improved
  • APPC
  • DMAAP
  • INT
  • SDNC
  • SO
Please follow them
  • CLAMP
    • Average response time ~1 day
    • More advanced fixes provided in less than a month
  • Policy
    • Prompt response
    • Following the procedure
    • No open issues.
  • Portal
    • Recognition for the hard work
    • Not everything fixed yet but good progress made



ONAP security maturity assessment

Discussion held at the last PTL call yesterday

PTLs claim that are missing qualified security experts

Idea of SECCOM badging provided per project and per release – discussion point

SECCOM is perceived as group of people pushing PTLs and community to do some security related stuff while it should be the other way around: PTLs are asking SECCOM how they could improve their security.

SECCOM is not about project management and motivating people to do the security.

We should introduce security badging or levels for ONAP projects and sit down together and define what are the requirements for each and every elevel, present those requirements to the projects and at the end of each release to perform the asessment and publish on the release of the project page the list of the projects with their current security status.

KPIs defined with release security maturity should be used.

CII Badging combines multiple areas, including security.


It was agreed to continue discussion in 2 weeks time frame. SECCOM members are requested to provide their feedback.

Increased tests code coverage for future ONAP releases

Pierre's proposal:

-define, for each project, the core parts that need intensive testing (an API sensitive project might prioritize API testing so that all are covered, hardened, so that said APIs are robust)

-concentrate coverage on those areas, even if coverage is lower on other parts, so critical parts are better covered and tested.

This might improve OJSI resolution (and/or reduce findings), and better focuses the effort on testing based on available resources.

This would be even better if we could tell Sonar which parts of the code are the critical ones

It was agreed to continue discussion in 2 weeks time frame. SECCOM members are requested to provide their feedback.

Synch meeting with Architecture Subcommittee

The meeting is scheduled today (5th of November at 4 PM UTC+1). Scope for the discussion:

-Ingress controller (Krzysztof)

-Security architecture document (Hampus)

-ISTIO/AAF discussion (Hampus/Srini)


As Natacha is not available, we will cover communication matrix topic for the next synch meeting.

Synch call with SDNC for OJSIs

It was agreed that organization of conf call should be more efficient - e-mail was sent to Dan to setup the call - waiting for his feedback.






  • No labels