2020-08-11 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 11th of August 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

M2/M3 status update

SECCOM non finctional requirements - all projectes passed M2/M3 gate.

 

 

 

NEXUS-IQ SCA demo for Fabian

Demo with NEXUS-IQ executed. 

Waiting for Harbor feedback once established.

 

 

Last PTL's meeting (10th of August) update

-REQ-376  - Flow matrix to be updated by remaining PTL – Fabian

-REQ-350 CII Badging - Tony

  • Tony updated description part

  • List of the projects who have not responded yet 

 

ongoing

 

 

During next PTL meeting identify next projects.

Fabian will be off for the next 2 weeks - proxy to be identified.

 

TSC meeting outputs 

Most of the meeting was focussed on tracking M2/M3 status.

Amy has an action item on how many projects are still dependent on Java 8.

Removal of GPLv3 license - to be removed from all containers that contain ONAP code.

 

 

 

SECCOM elections

Waiting for Kenny to start election process 

ongoing

 

 

Honolulu SECCOM requirements

Reminder from the previous discussion:

After Service Mesh PoC - new requirements might arrive.

Harbor requirement. In Harbor:

  • you can sign the image and you can share the key with an application that has an account to pull or to push the image

  • possibility to scan the image all the time and send warning

Harbor deployed in run time while Whitesource and Nexus-IQ during the development. 

Logs management (SECCOM discussion on 17th of March)

SIEM integration: 

  • integration like for the other applications with SIEM, have the same protocol used

  • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)

  • alarms when security issue 

CII Badging - session planned on the PTLs call.

 

 

 

 

 

 

 

 

 

 

Action: to work on non functional use case requirement for logs collection - important for project maturity.

 

Service Mesh updte

Fabian is working on authorization of how to deploy and manage connectivity between the apps.

 

 

 

Java v8

Data collection for projects currently using Java 8 - e-mail was sent by Amy to Morgan if possible to obtain results. 

Dependency on Java to be tracked. 

waiting for a feedback.

 

 

Package upgrade update to PTL meeting 

As Pierre will be not available, Amir could present to PTLs.

 

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18th OF AUGUST'20. 

Topics proposed:

  • Certificates management update – Krzysztof

  • Security Documentation – Harald

 

 

 

Recording

SECCOM presentation