2021-05-04 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: May 05, 2021 by Amy Zwarico
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 4th of May 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

NSA proposal follow-up

Meeting on May 3rd:

  • meeting was very informative, grow ONAP platform in analytics and reacting to events

  • one of first steps joining this session: logging reqs, AA in Kubernetes,

  • NSA requirements are needed for an area needed to be enhanced

ongoing

Next meetings will be organized ad hoc.  SECCOM weekly meetings will be regularly used.

Amy will facilitate exchanges with Maggie and NSA team.

 

Additional 2 resources from Orange to improve ONAP security

Progress with SO – Fabian, first Focus on performance application issue.

ongoing

 

 

ONAP security with the OPS 5G project

Next meeting on May 6th, deck prepred and presented by Amy:

 

ongoing

To be presented on May 6th

2021-05-06_ONAPSECCOMOverview_v1.pptx

 

ONAP CII discussion

Requirement: 

There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

ongoing

Slot to be booked at the next PTLs meeting to present this issue.

 

SonarCloud  answers for our questions

Please refer to slides 4-7. 

ongoing

We will discuss answers next week.

 

Logging anagement follow-up

Fabian prepared slides with logging architecture.

Some requiremets for logging are in scope of security and some are more general (and outside of security domain).

Bob did the summary of logging specs andshared with SECOM via distribution list.

ongoing

We can start with the simple requirment.

Slide draft shall be presented at the SECCOM and then presented to Architecture Subcommittee - Amy will share the logging requirmeents slide deck.

2021-02-22_LoggingRequirementEvents_v9.pptx

 

Continuation of discussion on Fabian’s comment on logging management

Bob shared the link: ONAP Application Logging Specification v1.3 (Frankfurt)#MDC-InvocationIDMDC-InvocationID

ongoing

Fabian to present most recent logging management archiecture to Archiecture Subcommittee.

Bob to elaborate the link provided.

 

NEXUS-IQ – SCA analysis outputs

Analysis almost done:

  • List of recommended packages version

  • Some packages are still scanned althought planned to be unmaintained (example: policy-engine)

  • PTLs were contacted for failing Jenkins jobs

 

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 11th OF MAY'21. 

Whe start pushing few other items in CII Badging or SonarCloud? To adrress it next week at the SECCOM.

Review of the document (link) provided by Bob.

 

 

 

Recording:

 

SECCOM presentation: