2020-04-07 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of April 2020.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| Zoom security issues | Orange team will be banned next week to use zoom due to security reasons. AT&T is not using zoom for internal business - but ONAP is treated as open source, so zoom is allowed. In Samsung zoom can be used by exception. Zoom for the next 90 days will focus on fixining vulnerabilities and not delivering new features. Amy shared the link to blog with description of zoom vulnerabilities. Bad cryptography is one of the biggest issues as of today for zoom. |
| It is crucial to apply all the updates coming from zoom with vulnerabilities fixes. We continue using our new zoom! |
| Latest feedback received from Integration team | Morgan shared following feedback:
|
|
For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification. |
| Virtual ONAP event |
|
|
We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation. |
| PTLs meeting update | Proposal for upgrading vulnerable outdated packages in Guilin: -Guilin Package Updates – each project has its restricted access Wiki where ppt was uploaded with all recommended upgrades, importance of tracking progress, some new PTLs must have an access granted! (action on Kenny?) -SECCOM-265 – each project will have a jira ticket created with link to the Wiki – when is the deadline for Guilin requriements? -JIRA report for PTLs regarding OJSIs outstanding SECCOM issues - shall emulator be whitelisted? Exceptional waiver to be granted. In long term all simulators must be fixed. If ports are not closed or moved to https, in Guilin release project will not get SECCOM waiver (as it can be granted only for 1 release!). |
|
To approach David to check who would open Jira tickets per project for package upgrades.
Communication of this policy should be done to ONAP community. |
| Security teast with Integration team | Amy will present relevant tests to next Integration team meeting on Wednesday. Proposed tests: Integration and Built Tests For Releases |
| To check with OOM team whether Integration or SECCOM should do adding new Jenkins jobs for CIS tests - it should be a part of OOM verify job - those tests should be ran if container changes or even all the time. |
| Service Mesh risk analysis – meeting summary available here | Service mesh requirements from security perspective followed by risk analysis. Review with Chaker |
|
|
| Jonathan finally resigned from PTL's position for AAF | John Franey is occupied with other activities and not only with AAF. |
|
|
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF APRIL'20 |
|
|
|