2021-05-18 Security Subcommittee Meeting Notes

2021 LFN Developer & Testing Forum June 2021-06-07 - 2021-06-10 

Register to  LFN Developer & Testing Forum June

Proposals:  2021 LFN Developer & Testing Forum June 

SECCOM proposal: ONAP: SECCOM activities for Istanbul release

ongoing

SonarCloud questions review

Permission problems - Jess to rely on community - e-mail was sent to Jess, waiting for her feedback.

ongoing

Jess to contact with Alex.

ONAP CII discussion – last PTL meeting

Questions to be considered by ONAP community as special focus in Instanbul release presented at the last PTLs meeting:

• application weak cryptography,

• server side request forgery,

• XML external entity,

• cross site scripting

ongoing

NEXUS-IQ – SCA analysis done

Jira tickets (tasks) were created per project for Instanbul release.

Ongoing work on some projects.

PTLs were remainded yesterday to start working on packages upgrades.

ongoing

Direct vs. indirect dependencies with container scans

Amy opened a ticket at Sonatype (IT-22048) for direct vs. indirect dependencies with container scans.

ongoing

Logging management follow-up

A slide deck draft "ONAP Next Generation Architecture & Logging Architecture, Design and Roadmap"  was presented (link below) by Byung-Woo Jun from Architecture Subcommittee. Work with OOM team (Sylvain and Krzysztof).

ElasticSearch - licensing problems?

Limitations in Keycloak - 200 tenants.

ongoing

Logging requirements analyssi update by Bob

Bob's Intro

NSA - Jess intro

Looing at the logging requirements.

https://attack.mitre.org/ → enterprise metrix, container metrix. and telecom matrix: https://web.tresorit.com/l/lN841#uqbRHdXCFzVVX8obs1OEUw&viewer=1yoh8gKZ0tA9WqU9asFUHKl2Jp024UTo

ongoing

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 25th OF MAY'21.