2020-03-10 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of March 2020.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| Meeting with Huabing - OJSIs update | Huabing as PTL of MSB joined SECCOM meeting and following OJSI jira was reviewed: OJSI-204 - MSB exposes unprotected APIs/UIs (CVE-2019-12129) - if MSB is not only a broker but exposes some API that allows to execute some actions - this API should be protected with AA mechanism. | Comment for this Jira was updated. | We agreed to document the issue and ask for a waiver for Frankfurt release. Huabing declared to fix this issue in Guilin release. Huabing will provide a comment with the solution. |
| Meeting with Vijay - OJSI update | Vijay as PTL of DCAE joined SECCOM meeting and following OJSI jira's were reviewed: OJSI-116 - xdcae-ves-collector exposes plain text HTTP endpoint using port 30235 - prior to Frankfurt release VES collector was using http communication. For Frankfurt VES based on TLS is enabled. In order to preserve backward compatibility http communication is still possible. OJSI-30 - Unsecured Swagger UI Interface in xdcae-ves-collector - Swagger UI allows to make some calls that contain a lot of information about the service that it is provided unsecured to outside world - no authentication required to access it. for VES TLS authentication is enabled. OJSI-195 - config-binding-service exposes plain text HTTP endpoint using port 30415 - Jack already submitted the patch to disable the node port, Krzysztof gave already+1 on the review. | Comments for those Jiras were updated. |
for both jiras (116+30) It was agreed that Krzysztof will check with Morgan and Vijay the impact of changing into TLS at post M4 stage. |
| Code coverage update with Vijay | OTI event handler was at 0% but it was handled by DCAE team and it is OK now. | fix is implemented |
|
| Components upgrades with Vijay | Some components upgrades were done in the Frankfurt release. | Planned | For the remaining ones SECCOM will come back to DCAE with the versions proposals with split between critical and severe levels for direct dependencies. Impact for theupgrades to be analysed by DCAE team. |
| Meeting with Seshu - summary | For almost all http ports we are good to close OJSI tickets. Only issue related to AA and heavily impacted by AAF. If AAF team is not able to support this request within Frankfurt release we will ask for a waiver to continue that work in Guilin release in order to not to block M4. |
| CII badging clarification with Tony requested by Seshu - e-mail to be sent to Seshu with Tony in copy. |
| SECCOM chair and vice chair elections | Confirm that the correct voting member for your company is on the Security Sub-committee Members list | Still waiting for Kenny's feedback | Kenny was asked to provide his feedback during the last PTL call - he promissed to respond. Once scheduling is known, will be sent to SECCOM distribution list. Kenny might be on sick leave recently. |
| OJSIs update by Krzysztof | We are progressing in a very good direction. The most important are the issue with CVE assigned - most of them are resolved - just 3 of them in progress (1 SDNC - in worst case admin port will be disabled and 2 APPC - to be followed with Taka). |
| |
| How do we treat projects that are out of release scope? | Fixing OJSIs tickets is it enough? For MSB case as there is no new development - but there is a maintenance. |
| TSC recommendation is needed. We should identify minimum basline with checklist of security items/best practices that we expect to be met by projects to assess maturity of each component.:
|
| Guilin SECCOM priorities - review - to be done for red items next week | P1: -Updates of the languages (java from v8 -> 11 and Python 2.7 -> to 3.x) – Interns from LFN could be gained -Updates of directly dependent software components (Here we are thinking about benefiting from LFN Interns that could support projects in their packages upgrades, in addition the new version of Nexus-IQ is able to display components with direct and indirect dependencies, we should define priorities, release manager should help in coordination between projects) -Automated security testing – containers not running as root – SDNC example -Increase the number of CIS Docker Benchmark checks in the Integration healthchecks. P2: -Secrets management -No root access to the DB from main application container Currently we have some pods (i.e. OOF) that require root access to their mariadb-galera instance for main application to work. This is obviously a security issue. Each application should have its own DB account that allows to access only its own DB. -All config files inside the main container should be ReadOnly There are some weird design like in APPC where main container modifies properties provided by the user at runtime. I believe that application configuration should be read only. P3: -Increase of code coverage (to be honest in Frankfurt release it seems that not that much happened – I am not sure if each project proposed % feasible for them and followed the actions to achieve this -CII badging P4: -High Priority SECCOM initiative: service mesh recommendation -SECCOM initiative: OJSIs to be solved -SECCOM initiative: https communication User access management ONAP MVP Flow management Logs management We shall continue efforts for projects ongoin e.g. connectivity matrix, VNF Security requirments, CMPv2 etc. | List was already presented to PTLs, no specific feedback. Next to be presented to TSC. | . Efforts on service mesh to be continued to have a real alternative to AAF which is failing as of today. We hope AAF would be better with new PTL John but service mesh alernative should be explored with: certificates, mTLS, sidecar. |
| Different zoom bridge to avoid influence of Architecture Subcommittee starting their meeting. |
|
| LFN to be contacted. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17TH OF MARCH'20 |
|
|
|