2021-06-15 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 15th of June 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

2021 LFN Developer & Testing Forum June 2021-06-07 - 2021-06-10 

SECCOM proposal: ONAP: SECCOM activities for Istanbul release

General feedback on event in security context:

  • Software inventory as part of OOM module (host, OS, language widget) – get the file in json format and make it available

  • Way to do point upgrade of subcomponents without whole ONAP upgrade

  • Service mesh security – info to be shared with Maggie and NSA team

completed

Service mesh security – info to be shared with Maggie and NSA team (Amy)

 

Welcome Leah!

Introduction of new intern for summertime at AT&T

completed

 

 

PTLs meting 

The permissions are given per repo unfortunately.. not across all at once

Slot was booked at the last PTLs meeting to ask PTLs for their GitHub IDs., so they would get an access to SonarCloud capabilities.

ongoing

PTLs GitHub IDs to be collected once TSC approves the idea.

 

(IT-22048) for direct vs. indirect dependencies with container scans

Feedback from Bengt to move on with ticket at Sonatype by opening a feature request - Amy opened a feature request (IT-22175) - no update

ongoing

 

 

Fabian's update - quality of a code

DMaaP all security issues closed, still 18 critical, with SO pending merge, same for service mesh, now started with SDC.

E-mail from Jess on Wikimedia – plugin can be deployed but Jenkins job is needed every time before the merge. PoC could be created with DMaaP project. Discussion with LFN and Jess on Jenkins credentials.

ongoing

E-mail to be sent to Seshu to try to move forward merge (Pawel).

 

Meeting to be organized with Jess and LFN on plugin deployment possibility (Fabian)

 

CIS Benchmark feedback - Muddasar

We have pretty much every requirement already documented, what is missing is auditing capabilities (they are by default turned off).

CIS benchmarking provides guidelines but also commands required. On GitHub automated script that can be downloaded.

ongoing

 

 

Morgan's e-mail

ongoing

Book a slot with PTLs on next Monday (Pawel)

Check with Integration team why we can see 3 instances of Cassandra and if they own it (Amy). 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 22nd OF JUNE'21. 

 

 

 

 

Recording:

SECCOM presentation: