Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 17th of August 2021.

Jira No
SummaryDescriptionStatusSolution

Last TSC meeting
  • Fabian presented Code quality and SonarCloud – achievements deck
  • Seshu volounteered SO for PoC in Jakarta
  • Conversation on code coverage that applies only to new code
ongoingWork with Seshu and Jess on PoC prepration.

Last PTLs meeting

Finally executed, but SECCOM message remains:

-Status update for Global Requirement (https://jira.onap.org/browse/REQ-863):

-Thank you all the project taking part of recommended packages upgrades.

-All other projects not compliant with this requirement will have issues with SECCOM acceptance to be part of the Istanbul release.

ongoingto close tickets for projects not participating in Istanbul release - done.

Software BOMs, Hardware BOMs - Muddasar

We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session.  

Can SBOM be created directly from NEXUS?

Hardware BOM is slightly different from process perspective.

ongoing

Workflow for the pilot to be prepared by Muddasar.

Exchanges with Jess to be progressed - detailed request to be sent by Muddasar.


Seccom criteria for the integration tests to pass a release

Just a reminder of the current status:

  • Current level of 40%
  • Achieve 100% level with TERN treated as informative
  • Follow exception process if relevant
ongoing

Security Risk Assessment and Acceptance – revisit Brian’s statement

To be discussed next week.


CII Badging update - Tony

To be discussed next week.


Dependency confusion attacks vs. ONAP SW build process

To be discussed next week.

ongoing

Wiki page to be check by Samuli.


SECCOM-269 is the epic for tracking security integration tests. It is blocked by the following project jiras.

ongoingSome more waivers might be submitted.

LFN Security Group – focus, outcomes, contributions

Kick-off meeting scheduled on 18th of August.

  • ONAP story and security requirements for normalization
  • HTTPs enablement on interfaces (service to service) but sidecar to service container is http based. (reference: ONAP Next Generation Security & Logging Architecture)
  • Encrypted protocols
  • Events logged by ONAP itself, so security health of ONAP could be monitored by operator
ongoing


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th OF AUGUST'21. 

Software BOMs

Logging requirements

Security Risk Assessment and Acceptance – revisit Brian’s statement

Dependency confusion attacks vs. ONAP SW build process




Recording:

SECCOM presentation:

  • No labels