2021-09-28 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Sept 29, 2021
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 28th of September 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

TSC update

  • SECCOM contribution to ONAP quality increase appreciated!!!

  • THANK YOU for all the contributions.

ongoing

 

OOM-2734: Support for Helm registry within ONAP Closed

DCAE update

  • Requirement to support by DCAE registry for HELM charts. Chartmuseum is maintained by Chart team.

  • 3 types of authentication supported.

  • Proposal is to restrict the client's list, once they have user names and passwords only ones who have to update/delete charts limits writing and access considerable just for those particular clients. → separate sidecar that can do client authentication

  • FW to be used to limit the access for reading to strictly ONAP applications.

  • mTLS could be a solution for read - Tony passed this idea to right people, mTLS would have to be supported on both sides (DCAE subproject and Chartmuseum). 

  • Would service Mesh simplify authentication?

  • More readers expected in the future for things in the repository

ongoing

mTLS to be further elaborated

 

Jakarta proposed dates

Global Requirements/Best Practice deadline for submission: 2nd of December by SECCOM:

  • [REQ-xxx] SECURITY LOGS MANAGEMENT

  • [REQ-xxx] Feature intake template

  • [REQ-xxx] Using basic image from OOM

  • [REQ-xxx] Software BOMs

ongoing

 

 

Last PTL meeting

Portal and VID dependencies (i.e., portal, portal-sdk & vid repos):

Portal -> SDC UI (user authentication) -> Other projects are dependent on SDC (e.g., CLAMP GUI)

VID to be removed , portal SDK as well.

Projects unmaintained shall have their repos excluded from scans.

EoL/EoS nomenclature could be used, open source communities do not maintain older versions, but encouraging to use latest greatest.

ongoing

 

 

 

 

 

 

 

SCA automation efforts

We are xploring automation capabilities for moving data from Nexus-IQ to Wiki.

strated

 

 

New Best practice for Jakarta release – new req to be open for Security logging

Set of questions prepared by Bob, to be addressed.

Sidecar for logging - to be further decided by TSC who is going to maintain it.

ongoing

PTLs meeting to be used for collecting info on logging capabilities per project.

 

Feature intake template

Muddasar did not find prove of tracking the feature after its approval.

ongoing

To reach out PTLs on what could be the best way to tackle Jira template.

Muddasar will propose some initial template, contributions are welcome.

Muddasar will also reach out Alla as a follow up, feedback from testers might be also valuable.

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 5th OF OCTOBER'21. 

  • Angular experience on dependencies (Amy’s team)

  • CADI and AAF replacement (Byung)

 

 

 

Recording: 

SECCOM presentation: