2022-05-03 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 26th of April 2022.

Summary	Description	Status	Solution
Vulnerable package reportion automation	Presentation provided by Brianna and Bert. Great job (150 hours → 2 hours)! Safes a lot of manual work for us. Enhancements for the future: flag for failing CLM scanning jenkins job (older than 1 week) CVE list with threat levels ratio remove _xD000_ for CVE's names log4j-core recommended version to be updated into 2.17.1 usage of Wiki reference with recommended versions as single source of true as dynamic configure other jobs option - non master that would be usefull for Maintenance Release analysis additional tab with unstructured data	ongoing	import excel into confluence: https://community.atlassian.com/t5/Confluence-articles/How-to-import-an-excel-file-into-Confluence-using-Elements/ba-p/1672151
LFN Developer & Testing Forum	Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/	started
	SECCOM topics proposal: SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals : Global Requirements and Best Practices Security PoCs: logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung. On the road to gold badge - Tony and Toine Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian? Security principles in the implementation – Tony, Maggie	started	Remaining topic proposals to be submitted. Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration. Fabian to check if could contribute on how qualify software to be deployed, what duediligence was performed.
OSA documentation update per release	Thomas asked for a branch to be created for Jakarta	started	Pawel to
Last PTLs meeting – 25th of April	ONAP unmaintained and deprecated functions – Amy – presentation of updated version at PTL yesterday RACI matrix by Muddasar – waitig for a feedback from PTLs and Chaker Update on failing security tests below: Synch with OOM: Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/18_06-28/ and Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-04/18_00-27/ latest run by Michal for the weekend Failing security tests: fix nonssl_endpoints in Jakarta release: 1.SDC-3954 - open 2.SDNC-1692 - done 3.OOM-2957 – open – reassigned to Fiachra fix root_pods in Jakarta release: 1.OOM-2958 – open - reassigned to Fiachra 2.INT-2104 – in progress
Unmaintained Projects	Amy to present unmaintained project deck to Architecture subcommittee on 3 May and TSC on 12 May.
logging PoC report	Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan.	ongoing
SBOM: patch to add the path for VES	https://gerrit.onap.org/r/c/ci-management/+/128405 -Jess is trying to validate the procedure	ongoing	Muddasar to share e-mail that Vijay shared with Jess.
CPS gold badge	Dedicated meeting to be scheduled – 2 tickets created at LFN IT: IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP IT-23829 Hardening LFN hosted ONAP project web sites – good progress Gerrit has now been updated to receive and A grade on securityheaders.com (thanks to this change we will be getting this on all of the Gerrit we operate as the systems pick up their updates). We are still working on getting the headers fixed for the nexus systems (getting a C) as well as the wiki and jira systems (getting an A but could be stronger).		Next focus on Nexus to get A grade.
LFN white paper 5G E2E security	https://lfnetworking.org/wp-content/uploads/sites/7/2022/04/LFN-Security-Whitepaper-v4.pdf?utm_campaign=LFN%20Newsletter&utm_medium=email&_hsmi=210819121&_hsenc=p2ANqtz-8l0-nc3Y9V0NGaQ63h3EBkuxAT5KxkeHGJJ_bM7pbtql_aQEOQvjeTpEsJrDmEQCzJ2c2Ar7yeIU45g9PD0JX30oKCkQ&utm_content=210819121&utm_source=hs_email
MFA for ONAP	Discussed whether MFA should be natively supported by ONAP. Users of ONAP will likely want to integrate with their own identity and access management (IAM) platforms ONAP could provide out of the box integration with an open source IAM platform such as KeyCloak
5Y review	tp be presented on May 9th to PTLs.		slot to be booked for Tony at the PTLs meeting by Pawel.
OpenSSF intro by David Wheeler	Link to recording and slide deck: https://wiki.lfnetworking.org/display/LN/LFN+Security+Forum review for the near future – are our pipeline or processes optimal?	to be done
NIST 5G Cybersecurity draft document	https://csrc.nist.gov/publications/detail/sp/1800-33/draft	started	to be addressed at the next SECCOM
Kohn SECCOM Global Requirements	-[REQ-437 -> REQ-800 ] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8) -[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11) -[REQ-439 -> REQ-863] -> REQ-1066 -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL	started	Logging requirment - target full PoC for Kohn and then Global Requirement for London release.
SECCOM MEETING CALL WILL BE HELD ON 10th OF MAY'22.

Recording:

audio1768328159.m4a

video1768328159.mp4

SECCOM presentation:

2022-05-03 ONAP Security Meeting - AgendaAndMinutes.pptx

Attendees: