2023-06-27 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 20th of June 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



ONAP disaggregation impact on SECCOM activities

Disaggregation is getting its momentum.

5-10% of projects time to be focussed on integration efforts.

Aarna used EMCO to deploy slices, the same could be done with ONAP.

ONAP is still handling high level orchestration if it comes to CNF orchestration it is delegated to Nephio. EMCO is talking about connecting to Nephio.

We are looking at dev side of the security which is half part picture.

Imact analysis is needed for ONAP disaggregation with focus on security, testing etc.

SECCOM recommendations: (June 27)

  • Create catalog of APIs for each ONAP project

  • Best practices and global requirements will still apply to each project

  • Keep SECCOM as a resource

  • ONAP becomes a service based on integrations

  • Definition of unmaintained project may have to be modified

  • TSC may have to decide on the bindings and projects

  • Need a task force for disaggregation

  • Action Item: Create a best practice for documenting APIs for the Montreal release – Muddasar will talk to Thomak Kulick







LF IT CI/CD security review

Muddasar is not getting support for the ticket opened 1 month ago:

 IT-25429 Review of ONAP CI Threat Model and Security Controls

Matt confirmed he will setup a meeting with @Muddasar Ahmed  to better understand what is expected







TAC update

security presentation by @Amy Zwarico   2023-06-21-TAC-LfnProjectSecurity.pptx







CPS Road to gold 

CPS PoC under preparation – Jess is configuring 2FA for committers - done.

OJSI list communication with Jess -some members should be removed/added



Amy to check with Jess on updated list for OJSI distribution list.



5 Years security questionnaire for Policy project

-https://lf-onap.atlassian.net/wiki/display/DW/PF+-+ONAP+Security+Review+Questionnaire

-Confirmation from Policy project received about review completion.

ongoing

Tony to share initial feedback with Policy team. Next discussion point is 18th of July.



Latest weekly scans – still looking for owner of zk-tunnel-svc

Bob reviewed gerrit logs.







PTL meeting (June 26th)

discussion: pairwise testing may not be needed

Daily integration tests

  • root pods: UUI will add image to exception list; add dcae-snmptrap-collector to exception list

  • node port: dcae-snmptrap-collector must run as node port; @Andreas Geißler to see how to suppress finding

  • versions: @Andreas Geißler to fix problem with test and rerun the weekly test

July 3rd meeting cancelled

OpenSSF badging questionnaires updated to reflect status of unmaintained projects







TSC meeting (June 15th)

Update on new Global Requirement: Use Native Service Mesh Authentication and Authorization for Intra-ONAP Communication

  • Meeting with Infosys team still to be organized on Wednesday June 21st.

Gerrit upgrade re-planned by Kevin - after TSC meeting Andreas will let Kevin know when upgrade could be provided

Kevin to prepare info on which version and what are the drivers for an upgrade 



Meeting with Infosys done. They will do the analysis. Access to environment will be crucial.

Jira ticket for the new Global Requirement to be issued.



Badging Dashboard

Projects in unmaintained status still have active badging questionnaire

David was asked to help in marking quesionnaire as unmaintained, Tony organized meeting with David to show what needs to be done.

Changes are made.







4th JULY SECCOM CANCELLED

SECCOM MEETING CALL WILL BE HELD ON 11th JUNE 2023. 













Recordings: 

audio1131275588.m4a

video1131275588.mp4

SECCOM presentation:

2023-06-27 ONAP Security Meeting - AgendaAndMinutes.pptx