2020-11-03 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Nov 06, 2020
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 3rd of November 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Secrets management

Which secrets are specified during the deployment - to be addressed with operators.

ongoing

Script must be written to collect requested information on secrets used.

Looking at CII Badging answers in this area.

ONAP security requirements was also covering this area (master keys).

Krzysztof to be contacted as Samsung team worked on this topic in the past.

Amy to check Sonatype outputs in this area.

 

Flow matrix

Discussion point: Natacha initiated Wiki page: 

Flow matrix guidelines UNDER CONSTRUCTION 

ongoing

 

 

Guilin version highlights 

  1. Packages upgrades progress 

  2. Java (v8 → 11) and Python (v2.7 → v3.6) migrations

  3. Progress in packages not running as root - decrease

  4. Migrations to https as dafault best practice

ongoing

Ideas to be further shared by SECCOM team.

 

SECCOM requirement for ONAP maintenance release

"Any critical, severe or high vulnerability found in the code written by the project team MUST be fixed within 60 days or prior to the inclusion of the project in a new release, whichever occurs first"

done

No specific comments received from SECCOM.

 

Harbor integration follow-up

Errors with demo server experienced by Jess. 

ongoing

To be further checked on Harbor with exchanges between Fabian and Samuli.

 

Whitesource configuration to 

Do we recomment to run Whitesource next to Nexus-IQ? We have to choose one. We might want to evaluate both for a Honolulu time frame to recommend the final one. One of the criterias could be possibility to export CVEs into the excel file.

ongoing

We recommend trial period to run both tools to compare and recommend the ultimate one.

 

Java and Python latest scans

There is abuild time test that checks the images to see if they have Python 2 (interpreter) 115 vs. 61 (Pythons 3) or Java 8 (runtime) (63 vs. 55 in Java 11) included in the image. We still have lots of components that have those in their image. 

 

Amy had exchanges with Pawel W. 

Scripts updates are needed.

Base images would not use

Wiki to be used for results posting - David to be contacted by Amy.

E-mail to be sent to onap-discuss on that by Amy.  

 

Honolulu non functional requirements 

SECCOM requirement provided after the deadline (16th of October):  

  • SIEM integration (REQ-464):

    • integration like for the other applications with SIEM, have the same protocol used

    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)

    • alarms when security issue

done

Prioritization will be done by TSC.

With Fabian we made a SIEM requirement.  

 

OOM tests

Weak cyphers could be tested.

 

To be follow-up with OOM team - Amy and Tony to discuss together.

 

CII Dashboard

3 projects that are silver now:, and even one of those projects is 65% of gold (VVP) and 2 other are at 57 % of gold (Policy) and AAF, CLAMP is 96% silver and over 40 % gold. 

ongoing

Progress to be shared with the next PTLs call.

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF NOVEMBER'20. 

Harbor discussion.

 

 

 

Recording:

 

SECCOM presentation: