2019-10-29 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Oct 30, 2019
4 min read

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 29th of October 2019.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Synch with David McBride about Portal SDK 2.6.0 integration plan post El-Alto

-Third party package vulnerabilities in Portal SDK need to be updated in the Frankfurt release

-Part of TSC effort to ensure that SDKs are available to the other projects early in the release

-Currently there is a Portal SDK patch that updates ~10 packages; patch is still in review and requires more testing

Release Manageer (David McBride) will manage the Portal SDK release so that it is available to the dependent projects by M2

-David McBride action items

  • Determine current version of Portal SDK - done - see attached presentation

  • Determine timeline of new package release: projects need the package by M2

  • Create list of projects that use Portal SDK

  • Create jira tickets for all dependent projects to migrate to new version of Portal SDK

 

Review of El Alto key figures tracking ONAP progress in the security domain and propose a SECCOM recommendation for El Alto to present to the TSC.

-Release key achievements from SECCOM perspective (to be answered to Amar’s e-mail):

State of ONAP security is improving. We are not there yet to say that ONAP is a secure piece of software but we are definitely going in the right direction.

Some key facts from this release:

-Number of exposed HTTP ports has been significantly reduced (21 currently but I hope that we can reduce this number even more till Thursday)

-12 CVEs has been fixed, 7 still being worked on (out of total 26)

-44 OJSI tickets has been resolved and 19 still in progress (some may be fixed till Thursday but most will be probably deferred to Frankfurt), 66 still untouched.

-Updating CII Badging answers (to be consulted with Tony):

  • Updates of projects representatives and adding Jim Baker as co-host

  • Updates of xxx projects answers in passing level

  • Updates of yyy projects answers in silver level

  • Updates of yyy projects answers in gold level

-Analyzing known vulnerabilities – first component upgrades were introduced by Portal project Springframework: from v 4.2.3 to 4.3.24. Next upgrades not yet pushed into ONAP gerrit due to resource constraints for testing the recent changes.

Completed draft of SECCOM release recommendation

Recommend to TSC that ONAP El Alto should not be released until the SDNC team fixes the remote code execution vulnerability or re-enables the work around implemented in Dublin

 

If the vulnerability is mitigated with the work around instead of a permanent fix, then the CVEs must be documented in the known security issues section of the El Alto release notes in order to improve ONAP transparency.

SECCOM-258: ONAP Security Architecture documentOpen

Improve security documentation in Frankfurt

Initiate a work item for Security Architecture documentation

  • secure communication targets for Frankfurt

  • Authn/Authz architecture

  • PKI

  • Communication matrix

Harald as created a wiki page based on F2F meeting

 

 

REQ-255: ISTIO POC – limited ONAP deployment scope In Progress

ISTIO work in Frankfurt

-Intel completed a POC for ONAP4K8S profile and will continue that for R6

Need to assign Jira to Intel

 

 

Frankfurt Security Release Manager support

-SDNC fix for the 3 remote code execution vulnerabilities through integration with AAF

-Release management help projects manage OJSI resolution – determine resource needs, track progress, raise issues

Need Release Manager support for both activities

 

-

Review of El Alto key deliverables

-Known vulnerabilities analysis - ongoing

-Synch with Portal team on their components upgrades – it seems that only few were upgraded – feedback from Portal team received under jira ticket.

-OJSI tickets tracking – Jim/Pawel/Krzysztof/Amy

  • OJSI Dashboard - Krzysztof

  • Krzysztof investigating the optimal way to incorporate the test

-CII Badging updates – first positive feedbacks

-Communication matrix – ongoing exchanges with VijayKrzysztof’s scripts would be very helpfull (both local host and external world)

-Recommended upgrades – see presentation

-Nexus IQ vs. Whitesoftware

  • Waiting for Dan’s feedback for effectice/ineffective

  • Waiting for Renan’s analysis for WS results – work ongoing

  • LFN is willing to add all ONAP projects under WS jenkins jobs

-ODL synch meeting was finally organized  on 10th of October – MoM were prepared and shared with participants:  1. Dan shared the link to ONAP ODL MVP, 2. Luis will now compile the package based on MVP scope to avoid potential issues with licensing.3. Once ODL customized package is shared with ONAP (Dan), Jessica will work on preparation of Jenkins jobs with Nexus-IQ scanning, 4.Once it is done Amy will create vulnerability tables and we will organize a next call with ODL team to review findings, discuss priorities and assess whether it is ODL or upstream vulns.

-What do we do with MSB or other kind of projects? – security implications…

  • Meeting with Huabing from MSB was done – action was agreed on his side to contact VFC and Multicloud projects to synch on

Action with TSC was taken! List of projects with lack of reaction on security best practices to be provided.

 

 

-

 Alpine recommended version

Jonathan suggested to have Alpine with JDK 11 embedded.

E-mail was sent to Morgan and Brian for consultancy.

 

 

 

Synch call with SDNC for OJSIs

It was agreed that organization of conf call should be more efficient - e-mail was sent to Dan to setup the call - waiting for his feedback.