Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 7th of April 2020.

Jira No
SummaryDescriptionStatusSolution

Zoom security issues 

Orange team will be banned next week to use zoom due to security reasons. AT&T is not using zoom for internal business - but ONAP is treated as open source, so zoom is allowed.

In Samsung zoom can be used by exception.

Zoom for the next 90 days will focus on fixining vulnerabilities and not delivering new features. Amy shared the link to blog with description of zoom vulnerabilities. Bad cryptography is one of the biggest issues as of today for zoom. 


It is crucial to apply all the updates coming from zoom with vulnerabilities fixes.

We continue using our new zoom! 


Latest feedback received from Integration team

Morgan shared following feedback:

  • no more jpdw ports exposed
  • no CVE reported on k8s by aquasecurity kube-hunter
  • in // there is only 1 HTTP port exposed publicly (music) – (no OJSI as it appeared after the scans) so not far to reach also the green light here 
  • still lots of rooted pods (34 vs. 210 2 weeks ago)
  • special thanks to Pawel W. who wrote most of the tests!





For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification.


Virtual ONAP event
  • SECCOM Guilin security requirements update - Paweł
  • Holistic view of ONAP security – Krzysztof/Amy
    • Access control
    • Storing permission
    • Hardening
    • Logging 
    • Gaps identified
  • Akraino reference for security documentation - Amy
  • CNTT alignment meeting – to be consulted with Samuli
  • Service Mesh – analysis and then with Architecture Subcommittee - Krzysztof
  • Logs management evolution in ONAP - Pawel
  • VNF security requirements - Amy
  • Package upgrade strategy – Amy/Pawel
  • Communication matrix - Natacha
  • Password removal continued and no hardcoded passwords for a new code - Krzysztof







We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation.


PTLs meeting update

Proposal for upgrading vulnerable outdated packages in Guilin:

-Guilin Package Updates – each project has its restricted access Wiki where ppt was uploaded with all recommended upgrades, importance of tracking progress, some new PTLs must have an access granted! (action on Kenny?)

-SECCOM-265 – each project will have a jira ticket created with link to the Wiki – when is the deadline for Guilin requriements?

-JIRA report for PTLs regarding OJSIs outstanding SECCOM issues - shall emulator be whitelisted? Exceptional waiver to be granted. In long term all simulators must be fixed. If ports are not closed or moved to https, in Guilin release project will not get SECCOM waiver (as it can be granted only for 1 release!). 






To approach David to check who would open Jira tickets per project for package upgrades.



Communication of this policy should be done to ONAP community.


Security teast with Integration team

Amy will present relevant tests to next Integration team meeting on Wednesday.

Proposed tests: Integration and Built Tests For Releases


To check with OOM team whether Integration or SECCOM should do adding new Jenkins jobs for CIS tests - it should be a part of OOM verify job - those tests should be ran if container changes or even all the time.


Service Mesh risk analysis – meeting summary available here

Service mesh requirements from security perspective followed by risk analysis. Review with Chaker  




Jonathan finally resigned from PTL's position for AAFJohn Franey is occupied with other activities and not only with AAF.


 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF APRIL'20


2020-04-07_SECCOM_week.mp4






  • No labels