2021-09-14 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 14th of September 2021.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
M4 update | Java and Python - waivers issued after PTL's meeting. Merges issued by SECCOM. Strong improvement from Honolulu release. To create best practice for standard integration images, so we could get rid of old Python and Java. Security scans 100% → 57% - to be further investigated. https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-09/14_13-40/ The gaps on the restricted Wiki shall be covered by respective PTLs. | ongoing | Plan for Jakarta for progress to be requested from waivers. Amy will create slides for that in the next 2 weeks. To check with Morgn the current security scans and potential actions to improve.
| |
| Software BOMs | Nexus-IQ server was upgraded to the latest version - now has some capability to extract Software BOMs but some information is still missing. | ongoing | Muddasar to research on how the missing information can be collected (plugin to be used?). |
| Logging requirements | Final set of metadata fields, which ones would be provided by logging service and which by developers. PTLs invited for Friday’s meetings. Welcome Sean who is helping in prototyping for SW BOMs. | ongoing |
|
| Dependency confusion attacks vs. ONAP SW build process | We put this item into backlog - we have no resources to lead it. | on hold |
|
| Security Risk Assessment and Acceptance | Guide for threat modeling for developers: https://martinfowler.com/articles/agile-threat-modelling.html We would like to get some help from the guys who are doing the actual development. Excel file shared with Brian, Amy shared also framework info on two references for threat modeling. 1.ISO 27005 : https://www.iso.org/standard/75281.html 2.NIST Special Publication 800-154 2 Guide to Data-Centric System Threat Modeling https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf | ongoing | Do we have a data map to show elements moving through the system? |
| Last PTLs meeting | Good progress on fulfilling global requirements from SECCOM. Fabian presented the status of code quality
| ongoing | Pawel to create the page. ONAP code quality improvement Fabian to create a Jira ticket to LFN IT: https://jira.linuxfoundation.org/plugins/servlet/theme/portals |
| Feature intake template | Muddasar was introduced to Alla who is leading ONAP Requirements Subcommittee to be contacted to provide details. We need to have a standard template for the feature to be accepted (visibility, security and usability sections should be there). | ongoing | To create a Jira ticket template. To be checked if the feature specific information is further tracked. |
| Last TSC meeting |
| ongoing |
|
| Jakarta SECCOM requirements | Apart from current global requirements we might want to follow any other requirements:
| started | New requirement to be created for security logging but PoC with CPS or best practice for Jakarta. This item to be discussed with Byung on Friday's meeting. |
|
| How info.yaml is generated? | ongoing | This item to be discussed with PTLs on Friday's meeting. |
| CADI and AAF replacement | DCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee. | ongoing | Byung to present update for the next SECCOM |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 21st OF SEPTEMBER'21. |
|
|
|
Recording:
SECCOM presentation: