2021-08-03 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Aug 04, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 3rd of August 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Last TSC meeting

Test criteria for Istanbul Release – deck prepared by Eric and Andreas

ongoing

 

 

Last PTLs meeting

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-07/12_13-15/

ONAP Security Exception Process

Security related integration issues will be collected under an Epic filed in the INT Jira project.

For Istanbul, the Tern results in integration test will be informational and not gating.  Need to consult with TSC to make results blocking for future releases.

Must complete exception filing by M3, using the protocol described in the link above.

ongoing

AWX and CDS to be identified as part of ONAP project - done it is part of CCSDK.

 

ESR Waiver

Most probably ESR will be exluded from ONAP Istanbul release.

ongoing

Final check to be done by Byung.

 

Updated Seccom criteria for the integration tests to pass a release

  • Add Python and Java version checks

  • Achieve 100% level with TERN treated as informative (=not blocking, or decreasing 100% of security test score)

  • Follow exception process if relevant

ongoing

To be presented at the TSC meeting

 

Software BOMs, Hardware BOMs - Muddasar

Feedback for Muddasar's presentation is welcome.

Muddasar is thinking of how the date can be collected, where should be stored and how could be shared. Next week presentation might be provided by Muddasar.

 

ongoing

What is the query mechanism? (during onboarding process presentation of manifesto BOM file or during query of EM or VIM from ONAP and get that information from VIMs.

 

Dependency confusion attacks vs. ONAP SW build process

Samuli sent an e-mail to SECCOM distribution list but as no specific feedback received so far, he will send it ot ONAP discuss.

Interesting framework by Google:

SLSA: Supply-chain Levels for Software Artifacts https://slsa.dev/

https://lf-onap.atlassian.net/wiki/display/DW/Developing+ONAP
https://lf-onap.atlassian.net/wiki/display/DW/ONAP+Security+Event+Management+-+DRAFT

Bob created a dependency security wiki snip for Samuli's and his investigation on this topic. Dependency Security

ongoing

Jess to be contacted for CI chain and Nexus for Bob's question.

Services term to be modified into Services (xNF, xApps)

Plans to be presented to Architecture Subcommittee.

 

Update from LFN 

(IT-22333by Pawel, and IT-22334by Thierry)

  • Waiting for Thierry’s return

ongoing

 

 

Code quality and SonarCloud

Achievements to be presented to TSC:

Risk Acceptance statement by TSC. We have a resource shortage to address security concerns for % value of code coverage (as a minimum 55% in the past).

ongoing

Pawel and Fabian to present progress and achievements to TSC on August 12th in this domain.

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10th OF AUGUST'21. 

SBOM/HBOM continuation.

Revisit Brian's topic on Security Risk Assessment and Acceptance.

 

 

Recording:

SECCOM presentation: