2021-08-10 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of August 2021.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Last TSC meeting |
| ongoing |
|
| Last PTLs meeting | not executed, but SECCOM message remains: -Status update for Global Requirement (https://jira.onap.org/browse/REQ-863): -Thank you all the project taking part of recommended packages upgrades. -All other projects not compliant with this requirement will have issues with SECCOM acceptance to be part of the Istanbul release. | ongoing | to propose the same message for the next PTLs meeting. |
| Software BOMs, Hardware BOMs - Muddasar | Options to be discussed next week i.e. the format to use (3 formats discussed last time), authorship (with company affiliation for accountability). First software side to be moved forward and then to be followed by hardware BOM. PoC proposal by Fabian - select some software module and define what is the atomic level, create BOM. Individual code contribution should be tracked back to individual name. | ongoing | To be decided at the next SECCOM.
Scope of the PoC to be proposed. Muddasar to be added to e-mail exchange with Bob and Jess. |
| Security Event Generation Requirements review (Byung/Chaker/Fabian/Amy): | ONAP Security Event Management Major focus on generation and collection. VES events are generated by service containers. We are focussed on platform containers logs generation. Apache2 Web server has well defined message logging formats based on set of attributes. Retention period is very operator specific. Let's write logs to stdout and stderr. | ongoing | Log file metadata part of the component to be elaborated. |
| Security Risk Assessment and Acceptance – revisit Brian’s statement | To be discussed next week. |
|
|
| CII Badging update - Tony | To be discussed next week. |
|
|
| Dependency confusion attacks vs. ONAP SW build process | To be discussed next week. | ongoing | Wiki page to be check by Samuli. |
| Code quality and SonarCloud – achievements deck prepared by Fabian to be presented to TSC on August 12th. | Slot is booked and slides uploaded. Fabian is ready to present the deck to TSC. | ongoing |
|
| SECCOM-269 is the epic for tracking security integration tests. It is blocked by the following project jiras. | ongoing | Some more waivers might be submitted. | |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th OF AUGUST'21. | Software BOMs Logging requirements Security Risk Assessment and Acceptance – revisit Brian’s statement Dependency confusion attacks vs. ONAP SW build process |
|
|
Recording:
SECCOM presentation:
