Page History

...

Agenda for next meeting:

Information Update
CII Badging program feedback
Paris Dev Event Feedback
Topics to advanceSeptember Dev Event
- Credential protection and management
CII Badging
Vulnerability management
Code Scanning
Prep for adhoc ??
DMaaP received question
- Static Code Scanning
AOB

Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).

...

Identified activity	Activity Description	Status
Creation of a Vulnerability Response Team	Creation of a proposed draft of the vulnerability procedures to follow when a vulnerability is identified, and the follow-up process. Review in team when ready, propose to TSC Examples from other communities are: https://wiki.fd.io/view/TSC:Vulnerability_Management ; https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046 https://wiki.opendaylight.org/view/Security:Vulnerability_Management Process we will follow is use the fd.io as a template and adapt it to onap. The draft work will be found here: ONAP Vulnerability Management Secure candidates of the security response team (to identify severity and where the problem might be, coordinate and bring in the experts). looking for 3-5 people that has a Knowledge of 1. process, 2. security expertise & drive/coord, 3 sufficient knowledge of code.	Done. Activity Closed.
Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP	There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect potential issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. https://www.sonatype.com/intelligence-automation https://scan.coverity.com/
Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval.	https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. Also look at: https://wiki.opnfv.org/display/security/Security+Home https://wiki.opnfv.org/display/security/Opnfv-security-guide	Ongoing The security subcommittee recommends a gold level. A discussion ongoing about for the release or attatch to the project maturity.
Identity primary relevant legislation stds to be considered.	Identify the main security standards etc that are related to regulatory requirements. This would be for awareness.
Static Vulnerability Scans.	Identify and propose a process for static vulnerability scans Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement	Started
Credential Management	Proposed architecture and proposal for handling credentials in ONAP Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement	Started

If you want to be involved, please contact Stephen.terrill@ericsson.com

...

Space shortcuts

Page tree

Versions Compared

Old Version 22

New Version 23

Key