Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 3rd of March 2020.

Jira No
SummaryDescriptionStatusSolution

Guilin SECCOM priorities - review

P1:

-Updates of the languages (java from v8 -> 11 and Python 2.7 -> to 3.x) – Interns from LFN could be gained

-Updates of directly dependent software components (Here we are thinking about benefiting from LFN Interns that could support projects in their packages upgrades, in addition the new version of Nexus-IQ is able to display components with direct and indirect dependencies, we should define priorities, release manager should help in coordination between projects)

-Automated security testing – containers not running as root – SDNC example

P2:

-Secrets management

-No root access to the DB from main application container Currently we have some pods (i.e. OOF) that require root access to their mariadb-galera instance for main application to work. This is obviously a security issue. Each application should have its own DB account that allows to access only its own DB.

-All config files inside the main container should be ReadOnly There are some weird design like in APPC where main container modifies properties provided by the user at runtime. I believe that application configuration should be read only.

P3:

-Increase of code coverage (to be honest in Frankfurt release it seems that not that much happened – I am not sure if each project proposed % feasible for them and followed the actions to achieve this

-CII badging

P4:

-High Priority SECCOM initiative: service mesh recommendation

-SECCOM initiative: OJSIs to be solved

-SECCOM initiative: https communication

We shall continue efforts for projects ongoin e.g. connectivity matrix, VNF Security requirments, CMPv2 etc. 

List was already presented to PTLs, no specific feedback. Next to be presented to TSC.

.

Efforts on service mesh to be continued to have a real alternative to AAF which is failing as of today. We hope AAF would be better with new PTL John but service mesh alernative should be explored with: certificates, mTLS, sidecar.


SECCOM chair and vice chair electionsConfirm that the correct voting member for your company is on the Security Sub-committee Members listStill waiting for Kenny's feedback Kenny was asked to provide his feedback during the last PTL call - he promissed to respond. Once scheduling is known, will be sent to SECCOM distribution list. 

Secrets encryption

Krzysztof shared his work on removing secrets for Mariadb-galera :

Mariadb-galera

In ProgressOngoing work with SO.

VNF Security RequirementsAmy asked for +2 for the reviewed items.Jiras to be updated with comments (+2s) from Pawel and Samuli.Amy will work on getting right privilege for gerrit.

Scripts for automatic Jira tickets creation for direct dependency components upgrades

Meeting with Pam was organized by Amy. The best it would be to work on the upgrades around M1 milestone of Guilin release. SECCOM could group vulnerabilities according to criticity into: critical, severe and other groups and provide recommended versions. Support from release manager for coordination between projects is vital. Process for exceptions is in place - in this case project must document why upgrade was not performed, 

In progress

https://wiki.onap.org/display/DW/Remediating+Known+Vulnerabilities+in+Third+Party+Packages


Upcoming F2F meetings

Topics proposal:

  • Service mesh
  • VNF security requirements
  • Package upgrade strategy
  • Communication matrix
  • Password removal continued

As Coronavirus threat is a serious concern, companies to protect their employees starting to ban participation in events like conferences

In Progress

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 10TH OF MARCH'20


2020-03-03_SECCOM_week.mp4

  • No labels

2 Comments

  1. Amy Zwarico

    I suggest an additional P1 Guilin release requirment: Increase the number of CIS Docker Benchmark checks in the Integration healthchecks.

    The integration team is testing for Pods running as root. (See Docker and Kubernetes Security for the integration tests in place for Frankfurt.)

  2. Natacha Mach

    Hello,

    As raised during the previous meetings, we raised the following items that would  need on our point of view investigation/further analysis:

    • user access management i.e. IAM/RBAC. For instance a user U1 can instanciate a service S1 on its tenant T1, but has not the "right" to instanciate another service S2 that belongs to U2 on T1, or to instanciate any service on T2 that belongs to another client.
    • is it already planned to have a docker image that would consist in the main components of ONAP = minimum set of ONAP with a reliable set of security features?
    • flow management relying on flow matrix, in order to be able to "control" INGRESS and EGRESS flows regarding external flows ?
    • logs management: this point has already been discussed during the security requirements session. Once deployed it will be very important to be able to monitor the ONAP components in a centralized way. To perform this a SIEM should be able to gather all relevant logs raised by the different components. There is no common model to generate the logs, but for monitoring purposes it would be relevant.

    ==> We could discuss about the relevance to propose them for GUILIN release.