2022-04-12 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 12th of April 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
LFN Developer & Testing Forum	Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/	started
	SECCOM topics proposal: SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals Security PoCs: logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update Unmaintained projects joint meeting with Thomas and Andreas, Chaker and Byung. On the road to gold badge - Tony and Toine others? Operator perspective on ONAP security - Brian?
Synch with OOM	Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/05_09-02/ and Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-02/25_20-26/security/versions/versions.html to be run by Michal for the weekend Failing security tests: fix nonssl_endpoints in Jakarta release: 1.SDC-3954 2.SDNC-1692 3.OOM-2957 fix root_pods in Jakarta release: 1.OOM-2958 2.INT-2104
Asessment model	Muddasar presented a proposal for 5Y assessment model: Assesment should be for a ONAP project as a whole. Report should be actionable - movement rule from level to the other is defined. It should also include process or tool improvement recommendation. We could use SAMM tool and some of our and their questions to have quick and easy asessment. Risk/threat model to be used. Asessment models are usually based on interviews.	started
Issue raised with SECCOM by Kohei - About Critical Information Leak	Ticket was opened to SDNC: https://jira.onap.org/browse/SDNC-1691 log file was removed from the Wiki.	started	Confirmation e-mail to be sent to Kohei by Amy.
Synch with Architecture Subcommittee	-LF Security conformance - Byung Amy saw presentation of LF CEO -Unmaintained projects proposals - Byung We focus on Portal first and then on AAF.	started	Byung to send an e-mail to Kenny to get LFX Security presentation for SECCOM.
Code quality	Fabian provided a presentation: In clean as you code developer shall be motivated. Quality gate conditions shall be generalized. Usage of Sonarlint allows for faster detection (on the fly) comparing to Conarccloud. Security hotspots, we need to have a reviewer in this arrea that would do the action (e.g. acknowledge). Jiras were setup in a special way. Commercial tool provides a way to fix the issue.	ongoing
CPS gold badge	2 tickets created at LFN IT: IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP IT-23829 Hardening LFN hosted ONAP project web sites Bruno mentioned: Security review dynamic tool analysis Runtime asertion	started	E-mail to be shared with Bruno o tickets and links - done.
SECCOM MEETING CALL WILL BE HELD ON 19th OF April'22.

Recording:

SECCOM presentation: