Proposed Updates to Release Templates (Frankfurt) - Security Questions
- Amy Zwarico
M1 Release Planning Milestone
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been filled out in the protected Security Vulnerabilities wiki space? | Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table | |
Have known vulnerabilities (critical and severe) to address/remove in the release been identified with jira tickets? | Jira tickets exist for vulnerabilities or the project indicates that there will be no vulnerable library replacement | Create Jira tickets | ||
Has the project committed to the release CII badging level | Project plans that include | See https://www.coreinfrastructure.org/programs/badge-program/ and https://lf-onap.atlassian.net/wiki/display/DW/CII+Badging+Program | ||
Has the project created their project CII questionnaire and completed the ONAP-level CII requirements? | URL of the questionnaire and all ONAP level CII requirements are answered | See https://lf-onap.atlassian.net/wiki/display/DW/CII+Badging+Program | ||
If the project uses java, has the project integrated with the oparent.pom? | Oparent.pom included in project |
M2 Release Planning Milestone
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security
| Has the Release Security/Vulnerability table been updated in the protected Security Vulnerabilities wiki space? | Table in in the protected Security Vulnerabilities wiki space corresponding to the latest NexusIQ scan | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table | |
Have all project containers been designed to run as a non-root user? | https://wiki.onap.org/display/DW/Best+Practices
|
M3 Release Planning Milestone
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been updated in the protected Security Vulnerabilities wiki space? | Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table | |
Has the project committed to enabling transport level encryption on all interfaces and the option to turn it off? | Requirements and test cases for transport layer encryption have been created for all interfaces not currently supporting encryption. | |||
Has the project documented all open port information? | Provide all port information to the Integration team | PTL collects from the project team all ports used to support the protocols required by the project. | ||
Has the project provided the communication policy to OOM and Integration? | ||||
Do you have a plan to address by M4 the Critical and High vulnerabilities in the third party libraries used within your project? | Update all Jira tickets with the plans. |
| ||
Has the project answered all CII badging questions required for the release (passing, silver and gold)? | Project Jira tickets for release questions are closed. | Answer questions on the project CII Badging page(s). | ||
Will the project enable authentication on each interface? | Project has integrated each interface with AAF. | Follow the AAF guidelines for integration and credentials management. | ||
Will the project enable all required hardening techniques? | Project Jira tickets for hardening techniques required for release are closed. | Follow instructions for implementing each hardening control. |
M4 Release Planning Milestone
Practice Area | Checkpoint | Yes/No | Evidence - Comment | How to? |
Security | Has the Release Security/Vulnerability table been filled out in the protected Security Vulnerabilities wiki space? | Table in in the protected Security Vulnerabilities wiki space corresponds to the latest NexusIQ scan; all NexusIQ finding are marked as false positive or exploitable with the supporting analysis. | PTL reviews the NexusIQ scans for their project repos and fills out the vulnerability review table | |
Are all Defects of priority Highest and High in status "Closed" in Jira? (this includes the Jira for Critical and Severe NexusIQ findings) | All Jira tickets for vulnerability elimination are complete. | Complete Jira tickets | ||
Did the project achieve the enablement of transport level encryption on all interfaces and the option of disabling transport level encryption? | All interfaces are exposed over TLS and the secure protocol can optionally be turned off | |||
Do all containers run as a non-root user and is documentation available for those containers that must run as root in order to enable ONAP features? |
| |||
Provide the "% Achieved" on the CII Best Practices program. Moved from Development section | Provide link to your project CII Best Practices page. | As documented in CII Badging Program, teams have to fill out CII Best Practices | ||
REMOVE FROM DEVELOPMENT | Is there any Critical and Severe level security vulnerabilities older than 60 days old in the third party libraries used within your project unaddressed? Nexus-IQ classifies level as the following:
which is complaint with CVSS V2.0 rating. |