...
ONAP Security sub-committee Operations
Agenda for next meeting:
- Identification of activities we feel need to be done by projects from a security perspective
- Then when done, check to see if it is already identify in CII badging or release
Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com)
- item A
- Logistics update
- Vulnerability team members update
- CII badging procedures presentation proposal
Backlog
Identified activity | Activity Description | Status |
---|---|---|
Creation of a Vulnerability Response Team |
| Vulnerability Management Procedures agreed. Team formation ongoing. |
Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP | There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. https://www.sonatype.com/intelligence-automation | |
Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval. | https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. Also look at: | Ongoing. |
Identity primary relevant legislation stds to be considered. | Identify the main security standards etc that are related to regulatory requirements. This would be for awareness. | |
...