Page History

Pierre to check with Martial if we could work with CLAMP for flows documentation.

Tool (Cidium?) to get flow matrix information to be elaborated by Fabian.

To be checked with Eric and Catherine to get buyin from TSCs. Information to be provided by Fabian to Amy.

Harbor integration

Meeting with Jessica was organized to discuss next steps and explain activity goals. Key features of Harbor:

• use of Trivi to san the images
• sign the image with Notary

Action point for Fabian to provide requirements for Harbor to Jessica and use Jenkins sandbox.

Fabian to run an internal meeting with his team and comeback to SECCOM with those 2 features utilization idea. 

Multiple presentations provided:

• SECCOM with packages upgrades, vulns management, Guilin restrospective and Honolulu non-functional requirements
• Service Mesh update
• Python migrations
• AAI usage of Keycloak for RBAC

Our and effort projects bring value in decreasing the rsecurity isks

• Policy, Oparent, SDNC, UsecaseUI and CLAMP are the most advanced, well done!
• Appreciated efforts on Portal, CCSDK, OOF, SDC side
• Amir's suport very much appreciated!

SECCOM requirements were presented on 26th of  October. 

• Continue packages upgrades in direct dependencies (REQ-439)
• Continue Java (REQ-438) and Python migrations (REQ-437)
• After Service Mesh PoC - new requirements might arrive.
• Harbor requirement. In Harbor:
  • you can sign the image and you can share the key with an application that has an account to pull or to push the image
  • possibility to scan the image all the time and send warning
  • Harbor deployed in run time while Whitesource and Nexus-IQ during the development.
• Logs management:
  • common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release) – Honolulu requirement (REQ-441)
  • common format for data - format of minimum data that we want that is useful (target for Istambul release)
• SIEM integration (REQ-464):
  • integration like for the other applications with SIEM, have the same protocol used
  • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
  • alarms when security issue
• CII Badging: (REQ-443), Focus on Application Security questions:
  • Crypto Credentials Agility – ½ od apps in met and almost half not yet answered
  • Implement Secure Design – 1/3 of projects did not answer
  • Crypto Weaknesses – tests to be applied (3 including Morgan)
• HELMv3 migration (REQ-442)

Prioritization will be done by TSC.

With Fabian we made a SIEM requirement.  

CLAMP for flows documentation provided by Pierre.

Requirements for Harbor to be provided to Jessica and use Jenkins sandbox.

Internal meetings to be organized by Fabian with his team and come back to SECCOM with 2 features utilization idea:

• use of Trivi to san the images
• sign the image with Notary

There is abuild time test that checks the images to see if they have Python 2 (interpreter) or Java 8 (runtime) included in the image. We still have lots of components that have those in their image. 

Problem statement:

It does not answer the question whether projects are using now only Python 3 and Java 11. In multiple cases people are using custom images and simply did not remove Python 2 and Java 8 as not used.

Standard image does not have old versions in it, we shall push projects to use standard image for Honolulu release and if from some reason they need to run custom image, they must remove what they do not use.

To be added as it is mature:

Implementation is done to identify events that compromise the system.

This information feedback is done because only an intervention can stop this risk.

The events are logged and according to rules have intervened according to the risks.

External system must be use to save and display the log

Secure protocol  must be use to transfert the log between ONAP and external system

Secrets management if possibleby Natacha.