2021-01-19 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of January 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

REQ-437: COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.x)In Progress

REQ-438: COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)In Progress

SECCOM global requirements

Updates of associated Jira epics and stories for REQ-437 (Python 2 -> 3) and REQ-438 (Java 8 -> 11) 

ongoing

Statuses changed into In progress

REQ-442: COMPLETION OF HELM MIGRATION (v2 → v3)Done

REQ-443: CONTINUATION OF BEST PRACTICES BADGING SCORE IMPROVEMENTS FOR SILVER LEVELIn Progress

REQ-439: CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIESIn Progress

SECCOM best practices

Updates of associated Jira epics and stories

HELMv3

CII Badging

Packages upgrades

ongoing

Statuses changed into In progress

 

LFN Developer & Testing Forum - Feb 1 - 4, 2021.

SECCOM proposals:

  • Global requirements and DCAE testimony on Java migration with packages upgrades – Focus on most commonly used packages

  • CII Badging – 3 items: additional verification test for crypto weakness (integration team to be addressed), crypto credentials, secure design

  • Service Mesh update (TBC with Krzysztof)?

done

 

 

Synch with DCAE

Discussion with Michal and commitment from his side to support DCAE

  • DCAE jiras review:

Python: DCAEGEN2-2494, DCAEGEN2-2427

Java: DCAEGEN2-2428, DCAEGEN2-2381

ongoing

 

 

ONAP and ODL synch

ODL prepares ONAP distribution for each of their releases. Dan will be basing our Honolulu release on their Aluminum release.  Right now working on porting to the current Aluminum service release ( SR1).  There’s another service release (SR2) that should be available before our code freeze, so Dan anticipates that we’d upgrade to SR2 when it’s available.

ongoing

E-mail sent to Dan and feedback received. 

 

Sonarcloud crypto takeaways

Weak crypto report from Sonarcloud. Jiras to be opened. How to get a report with API to be figured out. 5 cathegories of findings: certificate validation, host name of certificate, using secure mode and padding, using weak protocols, encoding passwords as plain text.  

 

 

 

Logs management – what to do next?

 

 

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 26th OF JANUARY'21. 

 

 

 

Recording:

 

 

SECCOM presentation: