Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 5th of November 2019.

Jira No
SummaryDescriptionStatusSolution

OJSIs summary for El Alto release:

Krzysztof summarized projects and their attitude towards OJSIs security tickets handling:

Still 38 OJSI tickets related to HTTP open while we expose only ~20 HTTP ports. We can close almost half as soon as we get the commit hash-id

Worst performing projects
  • CLI
    • 4 OJSI tickets open
    • 1 ticket with CVE
    • No activity at all
  • Logging
    • 9 OJSI tickets open
    • 1 ticekt with CVE
    • Very limited activity
  • MSB
    • 11 OJSI tickets open
    • 1 ticekt with CVE
    • No activity at all
Could be improved
  • APPC
  • DMAAP
  • INT
  • SDNC
  • SO
Please follow them
  • CLAMP
    • Average response time ~1 day
    • More advanced fixes provided in less than a month
  • Policy
    • Prompt response
    • Following the procedure
    • No open issues.
  • Portal
    • Recognition for the hard work
    • Not everything fixed yet but good progress made


SECCOM-258 - Getting issue details... STATUS

Improve security documentation in Frankfurt

Initiate a work item for Security Architecture documentation

  • secure communication targets for Frankfurt
  • Authn/Authz architecture
  • PKI
  • Communication matrix

Harald has created a wiki page based on F2F meeting



REQ-255 - Getting issue details... STATUS

ISTIO work in Frankfurt

-Intel completed a POC for ONAP4K8S profile and will continue that for R6

Need to assign Jira to Intel

Frankfurt Security Release Manager support

-SDNC fix for the 3 remote code execution vulnerabilities through integration with AAF

-Release management help projects manage OJSI resolution – determine resource needs, track progress, raise issues

Need Release Manager support for both activities


-Review of El Alto key deliverables

-Known vulnerabilities analysis - ongoing

-Synch with Portal team on their components upgrades – it seems that only few were upgraded – feedback from Portal team received under jira ticket.

-OJSI tickets tracking – Jim/Pawel/Krzysztof/Amy

  • OJSI Dashboard - Krzysztof
  • Krzysztof investigating the optimal way to incorporate the test

-CII Badging updates – first positive feedbacks

-Communication matrix – ongoing exchanges with VijayKrzysztof’s scripts would be very helpfull (both local host and external world)

-Recommended upgrades – see presentation

-Nexus IQ vs. Whitesoftware

  • Waiting for Dan’s feedback for effectice/ineffective
  • Waiting for Renan’s analysis for WS results – work ongoing
  • LFN is willing to add all ONAP projects under WS jenkins jobs

-ODL synch meeting was finally organized  on 10th of October – MoM were prepared and shared with participants:  1. Dan shared the link to ONAP ODL MVP, 2. Luis will now compile the package based on MVP scope to avoid potential issues with licensing.3. Once ODL customized package is shared with ONAP (Dan), Jessica will work on preparation of Jenkins jobs with Nexus-IQ scanning, 4.Once it is done Amy will create vulnerability tables and we will organize a next call with ODL team to review findings, discuss priorities and assess whether it is ODL or upstream vulns.

-What do we do with MSB or other kind of projects? – security implications…

  • Meeting with Huabing from MSB was done – action was agreed on his side to contact VFC and Multicloud projects to synch on

Action with TSC was taken! List of projects with lack of reaction on security best practices to be provided.



-

 Alpine recommended version

Jonathan suggested to have Alpine with JDK 11 embedded.

E-mail was sent to Morgan and Brian for consultancy.




Synch call with SDNC for OJSIs

It was agreed that organization of conf call should be more efficient - e-mail was sent to Dan to setup the call - waiting for his feedback.




  • No labels