2021-05-11 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: May 14, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 11th of May 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Additional resources from E///

Last week E/// decided to put 2 additional resources to OOM to finish service based duty - service mesh security.  Inputs will be expected from SECCOM, Aschitecture and OOM +Maggie, Michael and NSA.

More details to come.

ongoing

 

 

Meeting US GOV OPS 5G Weekly Sync – Amy made SECCOM presentation

-Interest in service mesh architecture, open standards security models

-Does SonarCloud find hardcoded passwords?

ongoing

 

 

 

Several issues discovered dues to SO development. Ongoing exchanges between Orange developer and SO PTL in the context of performance issue. 

ongoing

 

 

ONAP CII discussion – last PTL meeting

There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

Questions to be considered by ONAP community as special focus in Instanbul release:

  • application weak cryptography,

  • server side request forgery,

  • XML external entity,

  • cross site scripting

 

 

 

SonarCloud questions review

Permission problems - Jess to rely on community.

API documentation link - impossible to build up API call Tony needed, but Tony used sniffing and succeeded in building API that he needed.

ongoing

E-mail to Jessica was written.

 

Logging anagement follow-up

Fabian needs to have internal F2F meeting by the end of the month. Log management via stdout, normal log for exploitation (format and information inside) and finally security logs (important for SECCOM).

Logs need to be kept simple.

Bobs feedback on logging requirements and container matrix. Feedback to be provided in couple of weeks by Bob. 

ongoing

Service Based Mesh security archietcture to be shared via SECCOM distribution listby end of Monday.

 

NEXUS-IQ – SCA analysis outputs

Analysis almost completed and tickets are created. For Swagger related update we have no newer recommended version.

ongoing

 

 

Logging as part of DCAE

Logging could be just another source of information for DCAE? DCAE is analytic data. DCAE is not a common ONAP component. OOM consider slogging as a common component.

ongoing

 

 

Direct vs. indirect dependencies with container scans

Open a ticket at Sonatype (IT-22048) for direct vs. indirect dependencies with container scans.

ongoing

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 18th OF MAY'21. 

 

 

 

 

Recording:

 

 

SECCOM presentation: