2.3 Recommended approach

2.4 Implications to the ONAP

...

Languages supported: C/C++, C#, Java, Javascript, Python, Ruby

Question: What about Go? which versions of Phython.

Comment: Add some motivation of why Coverity is a good idea.

Comment: We need to catch the commitment now.

Comment: OPNFV also has a basic gerrit plug in for some basic scans. This can be brought in.

Bring in a few prposals to the TSC.

Capture the recommendation here

...

Introduce test coverage rules: how many tests should be added for each code changes
Digital signature: use digital signature in delivered packages (already in the plan?)
Vulnerability fixing SLA: vulnerabilities should be fixed within 60 days
Security mechanisms
- Which cryptographic algorithms to use to encrypt password
- The security mechanisms within the software produced by the project SHOULD implement perfect forward secrecy for key agreement protocols so a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
- If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).
- The security mechanisms within the software produced by the project MUST generate all cryptographic keys and nonces using a cryptographically secure random number generator, and MUST NOT do so using generators that are cryptographically insecure

5. Examples of secure communication between ONAP components

6. Examples of security communiation between ONAP and other components.

7. User provisioning, and relation to access to other systems.

........