2019-11-26 Security Subcommittee Meeting Notes

Owned by Amy Zwarico
Last updated: Dec 01, 2019
2 min read

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 26th of November 2019.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Election of SECCOM chair and vice chair

Propose moving elections for both SECCOM subcommittee chair and vice chair to February time frame when normally elections for chair are scheduled, so we could have joint elections.

Updated SECCOM membership on Membership

No one has expressed an interest in having separate vice chair elections before February

 

 

SECCOM proposed release assessment for TSC at 12/5 meeting

-KPIs

  • CII badging – Tony

  • Closed OJSI tickets – Krzysztof

  • Known vulnerability management – Amy

  • Code Coverage – Amy/Pawel

-Define the passing criteria for security

Define the KPIs for the Frankfurt release

Define the SECCOM passing criteria

Owners of each KPI asked to update the KPI and passing criteria in Frankfurt security assessment

 

Code Coverage:

  • Pierre proposed a Frankfurt POC with CLAMP to measure testing on core and new functionality

  • Define core and non-core

  • Amy will reach out to Kenny and David to set up a meeting with SONAR to learn more about the tool.

  • SONAR reports on  the percentage of new code that is covered by a test. Need the definition of New and if it is possible to define in the tool.

CII badging:

  • Tony reviewed enhancements of his CII metrics website

  • Assurance case (documentation of project security measures)

    • Only 10 of 38 projects have answered this question (5 Met, 5 Unmet) d

    • Proposed that SECCOM produce a template for this case to be used by all projects

    • Get TSC approval for template

  • Communications Matrix pilot - Natacha working with DCAE project (Vijay)

 

Pilot the Communications Matrix with DCAE for Frankfurt

 

Natacha working with DCAE project (Vijay)

 

 

Update on CLI OJSI tickets

ONAP SECCOM and MSB synch call (15/11/19)

ONAP SECCOM and CLI synch call (25/11/19)

  • CLI to prioritize OJSI tickets over known vulnerabilities in 3rd party packages

 

 

 

ONAP F2F in Prague – topics proposals (https://wiki.lfnetworking.org/display/LN/Call+for+ONAP+DDF+Topics+-+Prague+2020 ):

  • SECCOM F2F

  • Working session – testable VNF security requirements

  • Joint discussion with CNTT on security like security requirements,

  • Status update OOM password removal

  • Status update ingress controller introduction

  • ISTIO common discussion

  • Communication matrix update – diagram and interactions from it

 

Team members asked to review and provide additional topics.