2023-02-07 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of February 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



TSC meeting (2nd Fabruary)

TSC agrees in principle to form a special squad or task force to manage changes to projects that lack a PTL.  Participants and details to be determined.

Chaker is leading meeting at the Archcom later today.







PTL meeting (6th Fabruary)

Review of Release Management tasks – continued







Unmaintained projects update 

Jira tickets were issued for repos (34!) where no changes for last 12 months done.

Feedback from 2 projects, one of them AAI and Sparky related one.

Projects under OOM removal and from official architecture Wiki page (List from Byung):

• AAF
 • Logging
 • Music
 • VID
 • APPC
 • TOSCA Parser
 • DCA Design Studio
 • CDS (@SDC)
 • Portal

• CLAMP (still shown as a subcomponent)
 • NBI / External API
 • DMAAP / Strimzi
 • “Base components” (e.g. Strimzi Operator, Keycloak, OAuth Proxy, CertMgr, …)

List from Amy:

  • Multicloud

  • VVP

  • OOM

  • AAI

  • SDC

  • SDNC

  • CLI

  • VNFSDK

  • Integration

  • SO

  • VFC







Logging security discussion

Problem of multitenancy and . SDC is doing tenant isolation by adding attribute tenant in logging.

Focus on node level logging.

Namespace is treated as object that would get privileges.

We treat multitenancy in a sense: ONAP running as a Service. 







CPS Security review questionaire by Tony

CPS provided their feedback.

CPS - ONAP Security Review Questionnaire

ongoing

We should now review answers and provide comments by February 21st and CPS team could be invited to SECCOM on February 28th.



Adoption of security practices

TAC meeting will be addressing it on Wedesday.

  • SBOMs autogeneration with full depth

  • signing artifacts - Maven central does not support Sigstore - to be elaborated

  • ORAN Alliance has some signing recommendations already

LF IT is entity that should implement SBOM tools insertion for all LF projects.



NTIA recommendation on integrity protections on SBOMs to be reviewed by Amy



NIST has also just joined ORAN Alliance.

https://www.nist.gov/news-events/news/2023/01/nist-joins-alliance-promote-open-wireless-technologies-and-supply-chains
https://www.theregister.com/AMP/2023/01/26/nist_5g_open_ran/







SECCOM MEETING CALL WILL BE HELD ON 21st February 2023. 

CPS Security questionaire review by SECCOM.









Recordings: 

2023-02-07_SECCOM_week.mp4



SECCOM presentation:

2023-02-07 ONAP Security Meeting - AgendaAndMinutes.pptx