2023-08-29 Security Subcommittee Meeting Notes
- Amy Zwarico
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 29th of August 2023.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| 5 Years security questionnaire for Policy project | Review of Policy questionnaire with Policy representative meetings PF - ONAP Security Review Questionnaire - Developer Wiki - Confluence Started 2 weeks ago. Last week work continued. Adheli invited for a next week. |
| Policy framework began the review of 5yr questionnaire and will complete the review at the 22 August meeting. @Adheli Tavares will attend 2023/09/05 meeting to complete review. |
| Oparent | Update from 2023-08-21 PTL meeting -CPS (@Toine Siebelink): will test building CPS without oparent/pom.xml (results 2023-10-01) -Integration (@Marek Szwałkiewicz): will perform a test build with the profiles commented out 2023-08-15 SECCOM notes -Only 2 PTLs responded to Amy’s e-mail -No objections on Oparent retirement, we have no volunteer to maintain it up to date -pom.xml contains more than cross project common package dependencies Oparent is more than just standarizing packages. |
| Recommendation: -retain oparent/pom.xml -Make Andreas Geissler a committer and ask the integration or OOM team to update the file per release -Proposal:
-Byung will discuss with Andreas and OOM team and report at 8/22 SECCOM (pushed to 8/29 SECCOM meeting) -Amy will contact @Liam Fallon and Pam for history.
|
| Release Plan | Byung shared proposal and we discussed it from Seccom requirements perspective. Special focus on packages upgrade for marketing release and the need to keep Seccom in the loop so if project is going to run subreleases, SECCOM is informed and can share update with latest packages upgrades recommendations coming from Nexus-IQ. Minor releases must be covered as well. We might need a new tool for SCA that provides more open access for the project teams. In case projects do not follow Global Requirements, this information must be transparently presented in the Release Notes. |
|
|
| No PTL for AAI, DCAE, OOF | -Andreas Geissler and Thomas Kulik made committers -They will do the work necessary for the projects to participate in the release Will AAI, DCAE, OOF have security vulnerabilities fixed? |
| -Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization -Muddasar: someone needs to take backlog management role -Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure -Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16 |
| ONAP Streamlining | -Role of SECCOM -Prioritization of vulnerability fixes -Prioritization of security enhancements -Proposal: ONAP projects work with latest version of common components such as Istio, KeyCloak, Kafka ONAP Streamlining - The Process (Link) Deck shared with TSC: ONAP - Streamlining the process Report-2023-8-3-v2.pptx (live.com) |
|
|
| TSC meeting (August 24th) | ONAP streamlining AAF issue |
|
|
| LFN-TAC (August 16th) | Review of security best practice recommendations for LFN projects: Security Best Practices |
|
|
| NEXT SECCOM MEETING CALL WILL BE HELD ON 5th of September 2023. |
|
|
|
Recordings:
SECCOM presentation:
2023-08-29 ONAP Security Meeting - AgendaAndMinutes.pptx