Versions Compared

Old Version 2

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version 3

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SECCOM topics proposal:

  • SECCOM retrospectives:
    • Log4j fix implementation in Istanbul Maintenance Release
    • Jakarta security status update
    • Kohnsecuritygoals:
    • Global Requirements and Best Practices
    • Security PoCs:
    • logging req
    • code quality
    • service mesh
  • SBOM enablement and maintenance, and packaging
  • Waiver policy update
  • Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung.
  • On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony.
  • Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian?
  • Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.

    • Remaining topic proposals to be submitted.

    Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration.

    Fabian to check if could contribute on how qualify software to be deployed, what due diligence was performed. 

    Follow-up with Kenny to be done.

    Jira No
    		SummaryDescriptionStatusSolution

    LFN Developer & Testing ForumJune 13th-16th Porto, Portugal - summary

    SECCOM retrospectives:

    • Log4j fix implementation in Istanbul Maintenance Release
    • Jakarta security status update


    Kohnsecuritygoals:

    • Global Requirements and Best Practices
    • Security PoCs:
    • security log fields
    • logging req
    • code quality
    • service mesh
    • SBOM enablement and maintenance, and packaging
    • Waiver policy update
    • On the road to gold badging
    • Reducing technical debt
    • Container signing
    • Container scanning
    • 5Y project review
    • Removing unmaintained code
    		ongoing
    • ODL (Robert Varga) is offering some experience about CycloneDX format and SBOM to be reviewed by the ONAP SECCOM - e-mail sent to Robert.
    • To check with Robert Vargaand  Muddasar Ahmed SBOM proxy - email sent to Robert.



    		Waivers review between releasesWork started. Results for root_pods and unlimitted_pods from Guilin to Jakarta.startedTo be completed for remaining cathegories by Pawel - done

    		ONAP Kohn recommended versions

    https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

    Amy's team is doing last check for data quality.




    		Last TSC June 9th sign-off – pushed to 23rd of June. Cassandra stability issue. SECCOM will not block the release.


    Synch with OOM:

    		070748 and 
    • latest run by Michal for the weekend
    		ongoing


    		DTF presentation  from Tata communicationPython upgradesDCAE removed Filebeat containers (they were running Python 2).ONAP Kohn recommended versionsOlder ONAP version used. https://wiki.onaplfnetworking.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+VersionsLFN Developer & Testing Forum

    Event June 13th-16th Porto, Portugal

    Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/    		startedstartedLN/2022-06-DD+-+ONAP%3A+The+Path+to+a+Production-Grade+ONAP
    		To be shared what we are doing with them.

    		SBOMStill no update from Jess.
    		Governance board to be escalated to for SBOM and LF IT proper focus. Ranny was contatced by e-mail as a follow-up of DTF discussion5G Superblueprint involvementSecurity Interest Group for security as a code. Concept mandatory to support and optional to use. Let’s start with NIST document: https://csrc.nist.gov/publications/detail/sp/1800-33/draftMuddasar to share template and keep SECCOM posted.

    		Whitesource (mend.io) container scansNew ticket submitted to LFN IT: IT-24112 - Jess was asked for an update.


    		Technical debtMuddasar reviewed jira tickets of DCAE and AAI.Service Mesh

    With Service Mesh AAF and MSB could be disabled.

    		Pawel to reach out Toine.TSC updateService mesh PoC – Andreas shared the status, HTTPs to be transfromed to either HTTP or gRPC within the container, proxy takes care of secure communication. Jakarta sign-off pushed to 9th of June, M2 date still to be confirmed by TSC.

    Conditional check for HTTP and Service Mesh

    Pawel to check with Michal.

    		SBOMJess to reach out LFN IT developer later this week. SBOM is the fundamental gear. Ranny is already in the loop. We need to advocate on SBOMongoing

    Escalation with LFN Governing Board? Ranny to be contacted?

    Cost to be retrieved from Jess by Muddasar.

    		PTLs to be consulted. to know how PTL thinks when looking at Jira tickets. Vijay will be on PTO for next 2 weeks, so it will not be DCAE, AAI under consideration.
    		Ask at the next PTLs meeting for volunteering PTLs. Amy and Muddasar to synch each other on that.

    		Automation for dependency managementhttps://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/  


    		Muddasar is presenting at HardenStance (6/23) MITRE's FiGHT framework for 5G security.  In case anyone is interested here is the link: 

    https://events.adaptivemobile.com/hardenstance-ttsi2022/agenda-day2

    		Logging PoC

    https://gerrit.nordix.org/c/onap/oom/+/13370




    SECCOM MEETING CALL WILL BE HELD ON 28th OF June'22. 






    ...

    View file
    name2022-06-21_SECCOM_week.mp4
    height150


    SECCOM presentation:

    View file
    name2022-06-21 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150