SECCOM F2F - 2018

28 November

9:00 - 9:15

Status of the Casablanca Priorities  (SECCOM-82)

Amy

Review the Casablanca security achievements    18_11_28_ONAPCasablancaSecurityPrioritiesStatus.pptx

9:15 - 10:00

Outline Dublin Security Priorities (SECCOM-73)

Stephen

Create the Dublin security priorities draft to review with seccom and present to the TSC 2018-11-14 Dublin Security - RequirementsV2.pptx

10:00 - 10:30

Vulnerability Management Process Review (SECCOM-63)

Pawel/Robert

Updates to the vulnerability management process

10:30 -10:45

 Break

10:45 11:15

Silver CII Badging (SECCOM-79)

Amy

Determine the Silver requirements the projects need to focus on for Dublin and the requirements that are met by the overall ONAP processes  18_11_28_ONAPDublinCIISilverRequirements.pptx

11:15 - 12:00

Relationship between vulnerability reviews and release gates

(relates to security by design (SECCOM-75))

Amy

Lessons learned from the Beijing and Casablanca reviews

Enumerate the vulnerability mitigates tasks for each milestone and release candidate. This will help the projects schedule package upgrades, replacements, and the development of compensating controls early in the release cycle. 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx

12:00 - 1:00

 Lunch

1:00 - 1:45

Vulnerability handling clarifications (SECCOM-88) 

 Amy

Create a simple workflow that will be used to explain the vulnerability remediation and documentation process to the PTLs 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx (see page 5)

1:45 - 2:30

 API Security (SECCOM-80)

Natacha

Review the ETSI API security recommendations and requirementsONAPseccom-API_security.pptx

2:30 - 2:45

 break

2:45 - 3:00

Risk Assessment Review (SECCOM-81)

Pawel/Samuli

Review the findings from the risk assessments

Discuss the questionnaire proposed by Robert to help identify risk in projects

ONAP Beijing Security Assessment (DB & Kubernetes) 27-11-2018--ONAP-Beijing-Security-Assessment.pptx

ONAP Beijing CIS Benchmark for K8S test: CIS_Kubernetes_1.1.xlsx

Risk Assessment table (still under development and not yet mature): ONAP Risk Assessment table v 0 8.xlsx

3:00 - 4:00

 Risk Assessment Overall Plan.  Also in (SECCOM-81)

Pawel/Samuli

Define the scope of the risk assessment and the plan to complete the assessment

Focus on some selected areas of risk

4:00-4:15

 Break

4:15 -5:00

 wrap up

29 November

9:00 - 10:00 1hr

 ONAP Communication Security Requirements

Pawel

Review communication security between ONAP components and ensure that the transactions exchange between the different components are secure (Authentication, Authorization, Confidentiality)

10:00 - 10:30

Security by design (SECCOM-75)

Stephen

What guidelines are required to projects and the milestones to place security first and foremost.

• Project security documentation

• Project communication policy to OOM

• Overall ONAP security documentation

• Test cases

• No XSS vulnerabilities in GUIs

• input validation on all GUIs and APIs

• Test driven development

2018-11-30 Security by design.pptx 

10:30-10:45

 Break

10:45-11:15

 Security Guidelines (SECCOM-93)

Zygmunt

Develop a plan to document the security of ONAP

11:15-12:30

 Discussion and Review  Action Items

Amy

Review the meeting; assign action items

12:30-1:30

Lunch

1:30-4:00

 Backup if needed

Additional discussions among participants still available