Versions Compared

Old Version 14

changes.mady.by.user Tony Hansen

Saved on

compared with

New Version 15

changes.mady.by.user Stephen Terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As additional information, the CLAMP project has been applying the CII badging program procedures.  Their experience is captured here: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Development?src=contextnavpagetreemode 

ProjectProgress
CLAMP

Image Modified





3. Credential Protection and Management

...

  • Meet with Coverity (schedule call, include Tony Hansen , someone from Linux Foundation) 
    • Will Scan integrate with Gerrit? (Coverity Scan tool indicates that it does integrate with Gerrit.)
    • Can it integrate with Jenkins (use resources from Linux Foundation to assist)?
    • How long does it take to run a scan and get results?
    • Lead time with Coverity to use Scan?
    • Mass registration of all ONAP subcomponents (approximately 30 projects, 210 subprojects)?
  • Identify an open source project actively using Coverity Scan to get their feedback on the integration of Scan with their code development lifecycle
  • Determine whether or not the restrictions on scan frequency will cause a problem for any of the ONAP projects
  • Identify an ONAP project willing to test Scan (possibly CLAMP since they are also going through CII badging)
  • Integrate Scan with ONAP code development (if Scan is determined to be a viable product)

5. VNF Package Security

Status: Recomended (priority 1 items)

Disucssion:

Several priorities were discussed.

  • Priority 1: VNF Package Verification
  • Priority 2: Integrity Verification at Instantiation
  • Priority 3:Service Provider Ability to Sign the Artifacts

At this state Priority 1 is the only priority that has reached recommendation status.  For this it is recommended to follow the

VNF Package Verification is Integrity of the VNF package needs to be verified prior to, or at the time of onboarding. The purpose is to ensure that the VNF package originates from the vendor, and that the content has not been tampered with. The verification is done against the signature provided by the vendor. Reference [ETSI NFV SOL004] contains the detailed specifications.

[ETSI NFV SOL004]
ETSI GS NFV-SOL 004 V2.3.1 (2017-07): http://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.03.01_60/gs_nfv-sol004v020301p.pdf

The other priorities are still FFS