Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 5th of September 2023.

Jira No
SummaryDescriptionStatusSolution

5 Years security questionnaire for Policy project

Review of Policy questionnaire with Policy representative meetings

PF - ONAP Security Review Questionnaire - Developer Wiki - Confluence

Adheli Tavares joined SECCOM meeting to complete review.

For crypto Policy team relies on OOM and Service Mesh.

Jira ticket to be raised by Adheli and put the reference on the Wiki.

We could provide an additional description on the actual goal of our questionnaire.

Best practices badging site shall be updated with security review for last 5 years security questionnaire with positive feedback.


Policy framework began the review of 5yr questionnaire and will complete the review at the 22 August meeting.



Oparent

Update from 2023-08-21 PTL meeting

-CPS (Toine Siebelink): will test building CPS without oparent/pom.xml (results 2023-10-01)

-Integration (Marek Szwałkiewicz): will perform a test build with the profiles commented out

2023-08-15 SECCOM notes

-Only 2 PTLs responded to Amy’s e-mail

-No objections on Oparent retirement, we have no volunteer to maintain it up to date

-pom.xml contains more than cross project common package dependencies

We put on hold untill October. Pawel to call Marek.


Recommendation:

-retain oparent/pom.xml

-Make Andreas Geissler a committer and ask the integration or OOM team to update the file per release

-Proposal:

  • Option 1 (short term): ask the integration or OOM team to update the file per release
  • Option 2 (long term): split into multiple pieces that could be independently maintained: dependencies, build directives, profiles

-Byung will discuss with Andreas and OOM team and report at 8/22 SECCOM (pushed to 8/29 SECCOM meeting)

-Amy will contact Liam Fallon  and Pam for history


AAF certificate expiration

 AAF-1217 - AAF cert service failed to start (expired certificate) IN PROGRESS Andreas Geissler 




ONAP Streamlining

-Role of SECCOM

-Prioritization of vulnerability fixes

-Prioritization of security enhancements

-Proposal: ONAP projects work with latest version of common components such as Istio, KeyCloak, Kafka

ONAP Streamlining - The Process

Deck shared with TSC: ONAP - Streamlining the process Report-2023-8-3-v2.pptx (live.com)




NEW SECCOM requirements

Container signing - PoC under consideration for Montreal release. (Pawel)

Testibility of CIS Benchmarks (Amy)

Runtime security of containers (Maggie).




Next DTF

None of SECCOM present memebers would join this event physically. Topics under consideration:

  • Service Mesh implementation
  • SBOM follow- up what is next (versioning)
  • 3rd project passing 5Y questionning review
  • ONAP consumers - perception of streamlining process.

Pawel to check if zoom session attendance is possible.

NEXT SECCOM MEETING CALL WILL BE HELD ON 12th of September 2023. 







Recordings: 

2023-09-05_SECCOM_week.mp4