2020-11-17 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Nov 18, 2020
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 17th of November 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Root pods discussion

Change in Consul recently submitted. There are 2 ways to ensure that process is not running as root in the container:

  • Docker deamon switch the user (no need to trust the content of the container) – preferred option

  • Docker deamon starts as root and then change (need to trust that container content is valid)

ongoing

Preferred option to be vlidated by Krzysztof and confirmed by e-mail. After to be presented to TSC to become a best practice.

 

 

SECCOM requirements for Honolulu

Looking for junior profile to execute Java upgrades. Orange Labs Poland and LFN contacted. 

ongoing

To be further elaborated.

 

 

Harbor update

Item solved by e-mail exchange.

done

 

 

Secrets management update

No feedback yet from Natacha for different types of secrets existing in ONAP discussed on 10th of November.

done

 

 

Flow matrix

Fabian had a meeting with Sebatien..

Fabian explores Celium.

ongoing

No feedback from this meeting - waiting for a feedback from Sebasien.

 

Quality of the code

Possibility to refuse the commit. There are quality issues in ONAP but we get a lot of push back. 

ongoing

Meeting with Jessica to be planned. for pipeline creation.

 

CII Dashboard

Progress was shared with the last PTLs call.

done

 

 

Versions recommended for Honolulu release

Tests checks on run time. Java 11.0.6 version selected as recommended. 

ongoing

 

 

Protocols and encryption finding sfrom Sonar

5 types of findings, 2 of them serious:

130+ projects disabled validation of server certificate or validating host name in the certificate- ignoring part of basic TLS protocol.

38 projects have problem with the way how they use encryption algorythms - broken ones used (MD5 or SHA-1). 

Poor practices in identity management.

SSL selected instead of TLS - easy to fix.

 

Best practice to be formalized - Amy to provide modified wording for Cryptographic Algorithms and Protocols. Krzysztof will have later today a meeting with Chaker and David.

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 24th OF NOVEMBER'20. 

 

 

 

 

Recording:

 

SECCOM presentation: