...
Contact names, contributing to this:LEVY, DONALD E <dl2378@att.com>; Krec, Michael <michael.krec@bell.ca>; Zygmunt Lozinski <zygmunt_lozinski@uk.ibm.com>; Don Clarke <D.Clarke@cablelabs.com>; Sood, Kapil <kapil.sood@intel.com>; Andreas Ljunggren <andreas.ljunggren@ericsson.com>; Phil Robb <probb@linuxfoundation.org>; ZWARICO, AMY <az9121@att.com>; Evgeny Zemlerub <EVGENYZE@amdocs.com>; David Jorm <david.jorm@gmail.com>; Stephen Terrill <Stephen.terrill@ericsson.com>; Igor Faynberg <ii.faynberg@cablelabs.colm>com>
Note: if you would like to change the contents of this site, please contact Stephen Terrill.
Identified activity | Activity Description | Status |
---|---|---|
Creation of a Vulnerability Response Team |
| |
Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP | There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. | |
Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval. | https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. | |
Identity primary relevant legislation stds to be considered. | Identify the main security standards etc that are related to regulatory requirements. This would be for awareness. | |