2021-08-24 Security Subcommittee Meeting Notes

Owned by Amy Zwarico
Last updated: Aug 25, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 24th of August 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



Last TSC meeting

  • M3: code freeze (except for bugs) – 26/8

  • M4: containers delivered

  • vnfsdk-ves-agent is unsupported

  • LFN Security Forum kicked off on 18/8 – knowledge sharing forum

  • ONESummit (11-12 October)

ongoing

Work with Seshu and Jess on PoC prepration.



Last PTLs meeting

Finally executed, but SECCOM message remains:

  • -Confirmed that vnfsdk-ves-agent is not used

ongoing

to close tickets for projects not participating in Istanbul release - done.



Software BOMs, Hardware BOMs - Muddasar

We follow PoC idea - first we take a look at the CI/CD pipeline, collect the data and store it as we want it., who is the consumer in ONAP framework, we will have to select one of three formats discussed during the last session.  

Can SBOM be created directly from NEXUS?

Hardware BOM is slightly different from process perspective.

ongoing

Workflow for the pilot to be prepared by Muddasar.

Exchanges with Jess to be progressed - detailed request to be sent by Muddasar.

Meeting with Jessica 26/8 to review integration tools



Seccom criteria for the integration tests to pass a release

Just a reminder of the current status:

  • Current level of 40%

  • Achieve 100% level with TERN treated as informative

  • Follow exception process if relevant

ongoing





Security Risk Assessment and Acceptance – revisit Brian’s statement

To be discussed next week.







CII Badging update - Tony

Progress in the applications.

Review results at 31 August meeting

ongoing





Dependency confusion attacks vs. ONAP SW build process

No updates on the Wiki...

Bob will work this week and trying to check filtering rules with Jess for this type of threat. 

ongoing

Bob to contact Jess.



Logging requirement - update from Friday's meeting

Long Format overview by @Robert Heinemann

  • Overview of the updated log event and metadata requirements

  • Details here

  • Log level, log verbosity, event severity

ongoing

Long format to be on next Friday's meeting.

Meetings held Friday at 4PM CET

OOM feedback to be collected on K8s and Docker coexistance.. Byung to send an e-mail to Krzysztof and Sylvain.



Logs consumption

Context delivery for the logs by tagging. Currently we are focusing on logs generation and collection but later will will have to cover processing. APIs availability to bring the data back in to make an action.

Lot o data collected in DCAE, decision can be taken outside of ONAP system.

ongoing





Maggie could provide some inputs.



LFN Security Group – focus, outcomes, contributions

Kick-off meeting scheduled on 18th of August.

  • ONAP story and security requirements for normalization

  • HTTPs enablement on interfaces (service to service) but sidecar to service container is http based. (reference: ONAP Next Generation Security & Logging Architecture)

    Zrzut ekranu 2021-08-18 171321 - ONAP communication.jpg

  • Encrypted protocols

  • Events logged by ONAP itself, so security health of ONAP could be monitored by operator

  • @Robert Heinemann will contribute the ONAP vulnerability management process

ongoing

Default setting for software configuration to be reviewed i.e. TCP window x, autonegotiate network parameters by default.



OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 31st OF AUGUST'21. 

M3 update

Software BOMs

Logging requirements

Security Risk Assessment and Acceptance – revisit Brian’s statement

Dependency confusion attacks vs. ONAP SW build process







Recording:

unavailable

SECCOM presentation:

2021-08-24 ONAP Security Meeting - AgendaAndMinutes.pptx