https://github.com/nephio-project/governance/tree/main/sig-security
October 31st:
SIG Security:
- Currently, Nephio met OpenSSF badging 36%, target for 80% by EOY
- Byung is monitoring Nephio SIG Security and reported the current status to ONAP SECCOM; the SECCOM asked why 80%, why not 100%, which 20% is missing
- Tony Hansen (ATT) from ONAP SECCOM suggested to use his generic badging tool, http://tlhansen.us/badging/ , which shows consolidated badging data views including Nephio.
- Click Single Project for Open Source Security Foundation (OpenSSF) Badging Status Dashboard
- Enter ‘Nephio’ as the searching project and choose the Type+Section sort by
- Byung shared the tool site with the Nephio SIG security teams, with Tony’s approval. It seems that they like this tool, compared to the OpenSSF badging tool
- Tony is willing to provide more details to the SIG security team if necessary
- Lucy Hyde (LF, SIG Security team) is arranging a joint meeting with the LFN Security WG to ensure that Nephio employs security mechanism in line with LFN standards – TBD
- ONAP SECCOM will participate in the joint meeting to make ONAP, Nephio and OSC in line with LFN standards
- SIG Security team has the github site, https://github.com/nephio-project/governance/tree/main/sig-security
- Chair and vice chair nomination will be ended this week and will be elected soon (most likely Rahul Jadhav from AccKnox will be chair)
- For now, they shared possible high-level security focus areas as follows, but no detailed plans yet. Waiting for the chair and vice chair
- Byung asked about CI/CD security, Secure Supply chain, SBOM, Service Mesh and others, but no detailed answers yet; Nephio needs to have secure CI/CD and supply chain since it allows customized controllers
- Byung (and ONAP SECCOM) plans to work with them for detailed plans. It seems they are studying ONAP security architecture and best practices that Byung and ONAP SECCOM created. ONAP and Nephio can collaborate in this work. In my opinion, ONAP SECCOM can provide a lot of insight
- Shilpa from DT attended the meeting. I described how DT and Ericsson worked together for ONAP Security by implementing Istio Service Mesh, Ingress, IdAM using Keycloack. Nephio may want to copy ONAP security architecture, TBD
- Shilpa knows about ONAP security work which is done by Andreas Geissler (DT) and team.
- Nephio is generating SBOM according to Wim (Nokia), but it is not yet clear which SBOM specification they are using (he needs to check); most likely it is based on SPDX (created by LF). More to come...
- ONAP SECCOM (Byung and others) plans to participate or monitor Nephio SIG Security more.