2020-08-25 Security Subcommittee Meeting Notes

ongoing

Subversions for Java 11 could be pushed for future release (Honolulu) for a common version (as of today 11.0.8).

Automated security testing - to be checked for status.

Some updates appreciated from Krzysztof.

Continue packages upgrades in direct dependencies

After Service Mesh PoC - new requirements might arrive.

Harbor requirement. In Harbor:

• you can sign the image and you can share the key with an application that has an account to pull or to push the image
• possibility to scan the image all the time and send warning
• Harbor deployed in run time while Whitesource and Nexus-IQ during the development.

Logs management:

• common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release)
• common format for data - format of minimum data that we want that is useful (target for next+1 release)

SIEM integration:

• integration like for the other applications with SIEM, have the same protocol used
• logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
• alarms when security issue

CII Badging - session planned on the PTLs call.

E-mail was sent to Fabian to clarify whether logs from ONAP to SIEM be considered as ONAP only or xNFs logs only or maybe both. 

No actions for SECCOM.

Long discussion on a repo creation and add.

Open Networking & Edge Summit North America 2020
September 28 & 29, 2020 (Virtual Event)

• Using a virtual events tool called INXPO
• https://lists.onap.org/g/onap-tsc/message/6513
• ONAP and Cloud Native panel discussion

• Topic Proposals https://wiki.lfnetworking.org/x/9QhoAg

Topics proposed:

• What is next for Honolulu in the context of Service Mesh PoC?
• What is the impact of Service Mesh usage on runtime environment?