2022-06-07 Security Subcommittee Meeting Notes

Owned by Paweł Pawlak
Last updated: Jun 13, 2022
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of June 2022.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Synch with OOM

Security dashboard at 60%: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-06/07_07-48/  and

Versions reporting at 57%: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/20_21-56/  latest run by Michal for the weekend

ongoing

 

 

Python upgrades

DCAE removed Filebeat containers (they were running Python 2).

 

 

 

ONAP Kohn recommended versions

https://lf-onap.atlassian.net/wiki/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

 

 

 

LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/

started

 

 

 

  • SECCOM topics proposal:

    • SECCOM retrospectives:

      • Log4j fix implementation in Istanbul Maintenance Release

      • Jakarta security status update

    • Kohn security goals:

      • Global Requirements and Best Practices

      • Security PoCs:

      • logging req

      • code quality

      • service mesh

    • SBOM enablement and maintenance, and packaging

    • Waiver policy update

    • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.

    • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.

    • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?

    • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.

started

Remaining topic proposals to be submitted.

Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

Fabian to check if could contribute on how qualify software to be deployed, what due diligence was performed. 

Follow-up with Kenny to be done.

 

 

5G Superblueprint involvement

Security Interest Group for security as a code. Concept mandatory to support and optional to use. Let’s start with NIST document: https://csrc.nist.gov/publications/detail/sp/1800-33/draft

 

Muddasar to share template and keep SECCOM posted.

 

Whitesource (mend.io) container scans

New ticket submitted to LFN IT: IT-24112

 

 

 

Technical debt

Muddasar reviewed jira tickets of DCAE and AAI.

 

 

 

Service Mesh

With Service Mesh AAF and MSB could be disabled.

 

Pawel to reach out Toine.

 

TSC update

Service mesh PoC – Andreas shared the status, HTTPs to be transfromed to either HTTP or gRPC within the container, proxy takes care of secure communication. Jakarta sign-off pushed to 9th of June, M2 date still to be confirmed by TSC.

 

 

 

Conditional check for HTTP and Service Mesh

 

 

Pawel to check with Michal.

 

SBOM

Jess to reach out LFN IT developer later this week. SBOM is the fundamental gear. Ranny is already in the loop. We need to advocate on SBOM

ongoing

Escalation with LFN Governing Board? Ranny to be contacted?

Cost to be retrieved from Jess by Muddasar.

 

Logging PoC

https://gerrit.nordix.org/c/onap/oom/+/13370

 

 

 

SECCOM MEETING CALL WILL BE HELD ON 21st OF June'22. 

 

 

 

 

 

 

Recording: 

 

SECCOM presentation: