2021-09-14 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 14th of September 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

REQ-801

REQ-800

REQ-863

REQ-443

M4 update

Java and Python - waivers issued after PTL's meeting. Merges issued by SECCOM.

Strong improvement from Honolulu release.

To create best practice for standard integration images, so we could get rid of old Python and Java.

Security scans 100% → 57% - to be further investigated.

https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2021-09/14_13-40/

The gaps on the restricted Wiki shall be covered by respective PTLs.

ongoing

Plan for Jakarta for progress to be requested from waivers.

Amy will create slides for that in the next 2 weeks.

To check with Morgn the current security scans and potential actions to improve.

 

 

Software BOMs

Nexus-IQ server was upgraded to the latest version - now has some capability to extract Software BOMs but some information is still missing.

ongoing

Muddasar to research on how the missing information can be collected (plugin to be used?).

 

Logging requirements

Final set of metadata fields, which ones would be provided by logging service and which by developers. PTLs invited for Friday’s meetings.

Welcome Sean who is helping in prototyping for SW BOMs.

ongoing

 

 

Dependency confusion attacks vs. ONAP SW build process

We put this item into backlog - we have no resources to lead it.

on hold

 

 

Security Risk Assessment and Acceptance 

Guide for threat modeling for developers:

https://martinfowler.com/articles/agile-threat-modelling.html

We would like to get some help from the guys who are doing the actual development.

Excel file shared with Brian, Amy shared also framework info on two references for threat modeling.

1.ISO 27005 : https://www.iso.org/standard/75281.html

2.NIST Special Publication 800-154 2 Guide to Data-Centric System Threat Modeling

https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf

ongoing

Do we have a data map to show elements moving through the system?

 

Last PTLs meeting

Good progress on fulfilling global requirements from SECCOM.

Fabian presented the status of code quality

  • we need to create a page in confluence to describe the way to improve quality (page directly under SECCOM)

  • we need to open an another ticket of services hosting

  • jiras for python and java were updated

ongoing

Pawel to create the page. ONAP code quality improvement

Fabian to create a Jira ticket to LFN IT:

https://jira.linuxfoundation.org/plugins/servlet/theme/portals

 

Feature intake template

Muddasar was introduced to Alla who is leading ONAP Requirements Subcommittee to be contacted to provide details.

We need to have a standard template for the feature to be accepted (visibility, security and usability sections should be there).

ongoing

To create a Jira ticket template.

To be checked if the feature specific information is further tracked.

 

Last TSC meeting

  • TSC elections, nominations close on September 21st

  • Nominations for Honolulu awards extended to September 17th

  • Spark in New Zeland going with ONAP in the production

ongoing

 

 

Jakarta SECCOM requirements

Apart from current global requirements we might want to follow any other requirements:

  • Security logging as best practice for Jakarta, it is not exactly REQ-441

started

New requirement to be created for security logging but PoC with CPS or best practice for Jakarta.

This item to be discussed with Byung on Friday's meeting. 

 

 

How info.yaml is generated? 

ongoing

This item to be discussed with PTLs on Friday's meeting. 

 

CADI and AAF replacement

DCAE and DMaaP communication - new proposal to be presented today at the Architecture Subcommittee.

ongoing

Byung  to present update for the next SECCOM

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 21st OF SEPTEMBER'21. 

 

 

 

 

Recording: 

SECCOM presentation: