This is a wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP.
...
The ONAP security work is split into two parts. The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.
Vulnerability management
...
Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability. The process is initiated by the reception of an email to onap-security@lists.onap.org. The vulnerability management procedures can be found here: ONAP Vulnerability Management.The vulnerability management procedures are executed on by the vulnerability management sub-committee
Release Vulnerabilities
This lists the vulnerabilities reported for each Release.
ONAP security sub-committee
...
The ONAP security sub-committee meeting logistics are:
- Time: Wednesday 15:00 - 16:00 Central European time [ 6AM - 7AM PST]Tuesdays 1 PM UTC time
- Zoom details:793296315
- Or iPhone one-tap (US Toll): +16465588656,793296315# or +14086380968,793296315#
- Or Telephone:
- Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
- Meeting ID: 793 296 315924 1503 6769
International numbers available: https://zoom.us/zoomconference?m=Meh_TwQwIDnJKy9MU9R_A8hFaAUbegBa
...
ONAP Security sub-committee Operations
General Meeting Agenda for next meeting:
- Information Update
- Topics to advance
- Static Code ScanningStatus update of using CoverityWalkthrough identified items to suggest.
- Next steps Presentation for ONAP dev Event.
- Backlog update and review
- Update or add item backlogs
- For coming meeting:
- Next steps to close on our proposal on Sonatype CLM / Nexus IQ Tool (management of dependancies and known vulnerabilities)Agree topics for the next meeting
- AOB
Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).
...
Security sub-committee recommendations can be found here: Security Sub-Committee Recommendations
Backlog
...
- Creation of a proposed draft of the vulnerability procedures to follow when a vulnerability is identified, and the follow-up process.
- Review in team
- when ready, propose to TSC
- Examples from other communities are:
https://wiki.fd.io/view/TSC:Vulnerability_Management ;
https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046
https://wiki.opendaylight.org/view/Security:Vulnerability_Management - Process we will follow is use the fd.io as a template and adapt it to onap. The draft work will be found here: ONAP Vulnerability Management
- Secure candidates of the security response team (to identify severity and where the problem might be, coordinate and bring in the experts). looking for 3-5 people that has a Knowledge of 1. process, 2. security expertise & drive/coord, 3 sufficient knowledge of code.
...
Done.
Activity Closed.
...
There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue.
https://www.sonatype.com/intelligence-automation
JIRA project for issue prioritization: https://jira.onap.org/projects/SECCOM/
...
https://github.com/linuxfoundation/cii-best-practices-badge
This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes.
Also look at:
- https://wiki.opnfv.org/display/security/Security+Home
- https://wiki.opnfv.org/display/security/Opnfv-security-guide
...
Ongoing
The security subcommittee recommends a gold level.
A discussion ongoing about for the release or attatch to the project maturity.
...
Identify and propose a process for static vulnerability scans
Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement
...
Proposed architecture and proposal for handling credentials in ONAP
Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Developement
...
If you want to be involved, please contact Stephen.terrill@ericsson.com Pawel Pawlak or Amy Zwarico
Note: if you would like to change the contents of this site, please contact Stephen Terrillcontact Pawel Pawlak or Amy Zwarico.