...
Agenda for next meeting:
- Information Update
- CII Badging program feedback
- Paris Dev Event Feedback
- Topics to advanceSeptember Dev Event
- Credential protection and management
- CII Badging
- Vulnerability management
- Code Scanning
- Prep for adhoc ??
- DMaaP received question
- Static Code Scanning
- AOB
Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).
...
Identified activity | Activity Description | Status |
---|---|---|
Creation of a Vulnerability Response Team |
| Done. Activity Closed. |
Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP | There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. https://www.sonatype.com/intelligence-automation | |
Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval. | https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. Also look at: | Ongoing The security subcommittee recommends a gold level. A discussion ongoing about for the release or attatch to the project maturity. |
Identity primary relevant legislation stds to be considered. | Identify the main security standards etc that are related to regulatory requirements. This would be for awareness. | |
Static Vulnerability Scans. | Identify and propose a process for static vulnerability scans Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement | Started |
Credential Management | Proposed architecture and proposal for handling credentials in ONAP Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement | Started |
If you want to be involved, please contact Stephen.terrill@ericsson.com
...