2019-12-10 Security Subcommittee Meeting Notes

Please see the Minutes of Meetings and recording for the  SECCOM meeting that was held on 10th of December 2019.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Oparent.pom update

To ensure that Oparent.pom file has the latest references to available versions of components.

Amy updated Oparent.pom file with the latest and greatest versions available in the last week.

Warning: Jackson-mapper-asl - functionality moved to Jackson-databind with the latest version 2.10.0.

For Guilin release Jackson-mapper-asl will be fully removed.

 

VNF security requirements

Leftovers from El Alto to be collected. Special focus on ensuring that the language is clear and definition allows for an automatic tests - fitting OVP process.

2 tickets were created from last week's call.

Dealine before early spring.

We focus on testable requirements.

 

OOM password generation update

Passwords in ONAP should be randomly generated but it generates issues related to update of components. That is an alternative idea is considered - person deploying ONAP must provide master password- based on HMAC. If we provide the same password for deployments, the passwords generated inside ONAP will gonna be the same. For upgrade with Master passrod, ONAP passwords will not change. 

Change of password done with a reliable way.

Consequences of using m,aster password - if it is compromised . See Master Password attached file.

 

CII Badging update – Tony

To discuss with David McBride his role in supporting CII Badging

David to be invited for the next SECCOM meeting

E-mail was sent to David.

David confirm his availability on 17th of December.

 

 ONAP access management - Natacha

User has an access to all services which is not ok

 

 All ONAP components should implement fine grained authorization. Service Mesh POC could be a solution to further investigate, amount of work with AAF could be high as an alternative.

Common session during DDF in Prague should be organized to address what do we want from service mesh to be solved and what are our short term plans..

 

remediating known vulnerabilities in third party packages - Amy

Upgrading direct dependencies to the latest greatest versions

 

We need to have Jira tickets opened for direct dependencies. at M2 and to be completed by M4. If not exception asked to TSC.

 

 Topics identified for next week's SECCOM agenda

  • CMPv2 status update – Pawel/Hampus

  • CII Badging update – Tony/David

  • ONAP and SOL004 VNF signature update – Samuli