2022-04-19 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of April 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started

 

 

 

SECCOM topics proposal:

  • SECCOM retrospectives:

    • Log4j fix implementation in Istanbul Maintenance Release

    • Jakarta security status update

  • Kohn security goals

    • Security PoCs:

      • logging req

      • code quality 

      • service mesh

    • SBOM enablement and maintenance, and packaging

    • Waiver policy update

  • Unmaintained projects joint meeting with Thomas and Andreas, Chaker and Byung.

  • On the road to gold badge - Tony and Toine

  • others? Operator perspective on ONAP security - Brian? Fabian?

started

Topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

 

Bug in SBOM software - ticket was opened to LFN IT by Vijay.

 

ONAP unmaintained and deprecated functions 

Amy presented process for all possible use cases with execution and planning phases. Slide deck with modifications included

started

Modifications to be provided by Amy based on the discussion held - done

 

Logging update

Majority of the fields implemented in CPS. 2 topics to be addressed:

  • ordering if the fields

  • format of how would be outputed

ongoing

Synch with Byung on architecture.

 

Synch with OOM

1.SDC-3954 - open

2.SDNC-1692 - open

3.OOM-2957 -open

  •  

    • fix root_pods in Jakarta release:

1.OOM-2958 - open

2.INT-2104 - open

ongoing

Michał to run additional run to get status update.

As none of the tickets were progressed - issue to be escalated at the TSC.

 

Kohn SECCOM Global Requirements

-[REQ-437 -> REQ-800 ] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

-[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

-[REQ-439 -> REQ-863] -> REQ-1066  -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

-[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

started

Logging requirment - target full PoC for Kohn and then Global Requirement for London release.

 

5Y asessment

Dedicated teams in projects for security. We have security tests at the Integration level but usually no delegated security expert.

ongoing

Hardening validation process might not exist at all for some ONAP projects.

 

SECCOM MEETING CALL WILL BE HELD ON 26th OF April'22. 

 

 

 

 

 

 

Recording: 

 

 

SECCOM presentation: