2021-07-20 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 20th of July 2021.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| Feedback on Byung's AAF Service Mesh proposal - Al Laing | NSA is looking for a risk based authorization - we are not there yet in ONAP, we focus on RBAC first. In case of close loop automation the role of risk based authorization policy development mechanizm that does the pre analysis what is the risk for individual, other part is enforcement. In SBA (Service Based Architechture) in service emesh we have policy enforcement. Use cases: slice management and 5G superblueprint. We have an agreement on a new service mesh based architecture. | ongoing | We keep it as idea backlog for the next few months. |
| Software BOMs, Hardware BOMs - Muddasar | HW BOMs: at a station status inventory. Requirements for the deployment to be defined (PNF or VNF, is the HW supported at the station). | ongoing | Muddasar to prepare a draft proposal within next 1 or 2 weeks. |
| Next steps for Infrastructure Logging Requirements – Bob, Separate calls (Amy) to work through the logging requirements for ONAP components | Wholistic view on security logging lifecycle. First meeting held last week to discuss logging requirements. The security events have to be logged but there are other types of events that have to be managed. Notes are collected here: ONAP Security Event Management. We know where the logs can be generated. The key point is to define where the logs should be put togther and their format. What are the use cases in ONAP for data consumption. Difference between orchestration logging and xNF logging. | ongoing | To be further discussed at the Architecture Subcommittee. |
| Update from LFN | Tickets statuses to be checked, probably no update. IT-22333 by Pawel IT-22334 by Thierry Info from Jess: Working on IT-22334 first. It might seem that modifications to the current Jenkins template might be all we need for this solution, but I want to leave this open in case is not | ongoing | Jessica was asked for a status update. |
| Seccom criteria for the integration tests to pass a release – Eric | https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-07/15_02-27/ For the security testing we score at 40% as of today: nonssl_endpoints (NOK) unlimitted_pods (NOK) We need to define which % of security tests is ok to release. False positives are defined in the script. List must be enriched with Java and Python versions checks. We should have 100% objective result. How to deal with unmaintained. Project would provide exception proposal that would be further validated. Case of ESR type component should be decided by next release at the very latest. | ongoing | To be finally agreed at the next SECCOM on target % value per release. |
| CII Badging update - Tony | Few (3 or 4) projects should add ONAP wording in their description as they do not show up in CII Badging dasboard. | ongoing | Slot to be booked at the next PTLs meeting. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 26th OF JULY'21. |
|
|
|
Recording:
SECCOM presentation: