2021-08-17 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 17th of August 2021.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Last TSC meeting |
| ongoing | Work with Seshu and Jess on PoC prepration. |
| Last PTLs meeting | Finally executed, but SECCOM message remains:
| ongoing | to close tickets for projects not participating in Istanbul release - done. |
| Software BOMs, Hardware BOMs - Muddasar | We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session. Can SBOM be created directly from NEXUS? Hardware BOM is slightly different from process perspective. | ongoing | Workflow for the pilot to be prepared by Muddasar. Exchanges with Jess to be progressed - detailed request to be sent by Muddasar. |
| Seccom criteria for the integration tests to pass a release | Just a reminder of the current status:
| ongoing |
|
| Security Risk Assessment and Acceptance – revisit Brian’s statement | To be discussed next week. |
|
|
| CII Badging update - Tony | Progress in the applications. One Jira ticket for weak cryptography issue, 3 in open state for AAF, VID and VNFSDK - but projects not participating in the release - their jiras should be closed. Intern did a lot of analysis on the questions that have common answers and helping to work through various issues with those and provoded a final report. It should improve the scores for various projects. | ongoing | Tony to write 3 Jira tickets for projects to get them added. Tony to close tickets for projects not participating in Istanbul release (i.e. VID). Results to be sent to David McBride. |
| Dependency confusion attacks vs. ONAP SW build process | No updates on the Wiki... Bob will work this week and trying to check filtering rules with Jess for this type of threat. | ongoing | Bob to contact Jess. |
| Logging requirement - update from Friday's meeting | Anything that is not a container is exluded. Container run time level will be part of best practices aspect. Review of the table what to include in the application logging and what to include in the container deamon logging. Log format was discussed. Decision taken on trying to put current 13-14 requirements in the template format, to make it easy for users and projects to adapt to it. Container scope was discussed - K8s part of the container and container only Docker. | ongoing | Long format to be on next Friday's meeting.
OOM feedback to be collected on K8s and Docker coexistance.. Byung to send an e-mail to Krzysztof and Sylvain. |
| Logs consumption | Context delivery for the logs by tagging. Currently we are focusing on logs generation and collection but later will will have to cover processing. APIs availability to bring the data back in to make an action. Lot o data collected in DCAE, decision can be taken outside of ONAP system. | ongoing |
Maggie could provide some inputs. |
| LFN Security Group – focus, outcomes, contributions | Kick-off meeting scheduled on 18th of August.
| ongoing | Default setting for software configuration to be reviewed i.e. TCP window x, autonegotiate network parameters by default. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 24th OF AUGUST'21. | Software BOMs Logging requirements Security Risk Assessment and Acceptance – revisit Brian’s statement Dependency confusion attacks vs. ONAP SW build process |
|
|
Recording:
SECCOM presentation:
