Versions Compared

Old Version 25

changes.mady.by.user Stephen Terrill

Saved on

compared with

New Version Current

changes.mady.by.user Kenny Paul

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Image AddedImage AddedThis is a wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP.

...

The ONAP security work is split into two parts.  The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.

Vulnerability management

...

Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability.  The process is initiated by the reception of an email to onap-security@lists.onap.org.  The vulnerability management procedures can be found here: ONAP Vulnerability Management.The vulnerability management procedures are executed on by the vulnerability management sub-committee

Release Vulnerabilities

This lists the vulnerabilities reported for each Release.

ONAP security sub-committee

...

The ONAP security sub-committee meeting logistics are:

...

ONAP Security sub-committee Operations

General Meeting Agenda for next meeting:

  • Information UpdateS3P (carrier grade) - security aspects. Re: Carrier Grade Requirements (consolidated)
  • There has been comments and discussion on the security part, this is to consolidate and finalize our input.
    • Topics to advanceStatic Code ScanningStatus update of using Coverity
    • Walkthrough identified items to suggest
  • Backlog update and review
    • Update or add item backlogs 
  • For coming meeting: 
    • Agree topics for the next meeting
  • Next steps
  • Credential management
    • Proposal walkthrough.
  • Next steps to close on our proposal
  • If time: Sonatype CLM / Nexus IQ Tool (management of dependancies and known vulnerabilities)
    • AOB

Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).

...

Security sub-committee recommendations can be found here: Security Sub-Committee Recommendations 

Backlog

...

...

Done.

Activity Closed.

...

JIRA project for issue prioritizationhttps://jira.onap.org/projects/SECCOM/




There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues.  The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue.

https://www.sonatype.com/intelligence-automation

https://scan.coverity.com/

...

https://github.com/linuxfoundation/cii-best-practices-badge  

This may identify good practices, which could include guidelines.  consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes.

Also look at:

...

Ongoing

The security subcommittee recommends a gold level.

A discussion ongoing about for the release or attatch to the project maturity.

...

Identify and propose a process for static vulnerability scans 

Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement 

...

 Proposed architecture and proposal for handling credentials in ONAP

Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement 

...

If you want to be involved, please contact Stephen.terrill@ericsson.com  Pawel Pawlak or Amy Zwarico

Note: if you would like to change the contents of this site, please contact Stephen Terrillcontact Pawel Pawlak or Amy Zwarico.