2020-03-31 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 31st of March 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Review of OJSIs with SO (Seshu)

SO made an effort to close several OJSIs and only one is remaining - for this specific one waiver for SO for OJSI with AAF interaction – approved by SECCOM.

Whitelisted projects - Krzysztof will submit a patch to Morgan.

Replacement of AAF by service mesh - we want to replace only part of AAF which is policy enforcement.

Jonathan's AAF Video

CII Badging - Tony provided some additional inputs to REQ-223 comments. AAF made good examples. 7-9 good assurance cases.  Template preparation by SECCOM couldbe felpfull for ONAP project. Assurance case = how your project is internally secure and protects security of the things that deals with. Security document says how the appliction is secure baed on its architecture. Assurance case this is what we did in the implementation to meet security requirement. Example of assurance casse:  thanos.io/security.

 

Recommend waiver for SO for OJSI with AAF interaction.

 

Guilin package upgrade proposal.

Availble here. Under restricted access Wiki information about direct dependency vulnerabilities and recommended upgrade version is provided per repository. Additionally status column should reflect actual status of the upgrade process. Priority 1 is the highest and reflects critical vulnerabilities for upgrade. Priority 2 reflects severe level vulnerabilities. Each project will have all the info in one place under its dedicated Wiki. Per each project there will be ajira ticket open with link to the Wiki. In some cases we will not eliminate all vulnerbilities but we will significantly reduce them.

CLAMP is the first project without any direct vulnerability - congratulations to Martial and project team!

 

 

 

Jira report update

Report is available here.

OJSI-145 on the whitelist - to be checked why. 3 issues from SDC, one issue from VES colector blocked by some integration testing. For VNFSDK - whu they still exposing JDWP? OOM made a really good progress with passwords removal around MariaDB-galera.

Morgan reprts scan results of the current ONAP instance. We expect hash commit for removing the vulnerability for transparency.

 

 

 

 

 

Message to be shared with PTLs.

 

New zoom bridge for SECCOM

Kenny shared good news. We have a dedicated zoom for SECCOM purposes.

 

 

 

Service Mesh risk analysis – meeting summary available here

Service mesh requirements from security perspective followed by risk analysis. Logging was discussed with special focus on Fluentd.

Fabian created a platform for service mesh. UDP not supported in service mesh?  

 

 

 

UDP support in service mesh - to be further elaborated. Link provided by Krzysztof https://istio.io/docs/ops/configuration/traffic-management/protocol-selection/

 

Images

Lacking image for Go. Ubuntu 18.04 LTS. CoreOS used by ETCD. ETCD is used by MultiCloud. But the point was to update CentOS version.

Tool that could be used for drawing graphes for a single image and manage to merge them into a single one.

 

 

 

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 7th OF APRIL'20