...
iPage Status:
Component Status:
Last Reviewed on:
Certified by:
Table of Contents |
---|
1. High Level Component Definition and Architectural Relationships (template)
...
6. Security Conformance
- ONAP Component API and data security conformance
Describe the component Service Mesh conformance / plan for secure communications, routing, authentication and authorization configurationsDoes the component have AAF dependencies? If so, describe the current dependencies and a migration plan to remove the dependanciesHow does the component support authentication and authorization of its clients (UserHumans,APIsother applications)?
- Describe the component data protection
- Data storage location/mechanismmechanism
- Data protection plan, such as data at rest, data-level access control, data in transit, others
- User sensitive data handling (e.g., password)
Describe the component / container hardeningThe component must run as non-root-based users. Does the component use non-root-access only? Otherwise, describe the reasons and non-root-access support plansDoes the component container require privilege access/right? If so, describe the reasons and migration plansIs the component image signed digitally for integrity?(TBD)Does the component use the basic image to conform to the global requirementJira server ONAP Jira serverId 425b2b0a-557c-3c0c-b515-579789cceedb key REQ-1073 Does the component follow the K8s hardening guide? e.g., from NSA, https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
- Describe the component logging conformance
- Does the component conform to the Log field standards best practice,
? If not, please describe the reasons and support plans.Jira server ONAP Jira serverId 425b2b0a-557c-3c0c-b515-579789cceedb key REQ-1072 - Does the component exclude user sensitive data (e.g., password, ip address, routing paths, etc.private key, other credentials) from logging? If not, please describe the reasons and support plans.
- Does the component support the Logging destination STDOUT / STDERR conformance? If not, please describe the reasons and support plans.
- Does the component conform to the Log field standards best practice,
Documentation for the component securityDescribe the component security architecture and conformance in the document.
- The project should fill out a ONAP Security Review Questionnaire Template and review it with SECCOM.
- The project should follow the CISA Memory Safe Code guidance, not to introduce memory unsafe code, joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf, The-Case-for-Memory-Safe-Roadmaps-508c.pdf
7. Document Changes
8. References
...