This is a wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP.
...
The ONAP security work is split into two parts. The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.
Vulnerability management
...
Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability. The process is initiated by the reception of an email to onap-security@lists.onap.org. The vulnerability management procedures can be found here: ONAP Vulnerability Management.The vulnerability management procedures are executed on by the vulnerability management sub-committee
Release Vulnerabilities
This lists the vulnerabilities reported for each Release.
ONAP security sub-committee
...
The ONAP security sub-committee meeting logistics are:
- Time: Wednesday 15:00 - 16:00 Central European time [ 6AM - 7AM PST]Tuesdays 1 PM UTC time
- Zoom details:793296315
- Or iPhone one-tap (US Toll): +16465588656,793296315# or +14086380968,793296315#
- Or Telephone:
- Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
- Meeting ID: 793 296 315924 1503 6769
International numbers available: https://zoom.us/zoomconference?m=Meh_TwQwIDnJKy9MU9R_A8hFaAUbegBa
...
Security sub-committee recommendations can be found here: Security Sub-Committee Recommendations
Backlog
...
Creation of a Vulnerability Management Procedures and Team.
...
Done. Activity Closed.
...
Nexus IQ/Sonatype LCM has the ability to identify and display known vulnerabilities of used components. These used components are in the end part of the ONAP release and it is not desirable to release with known vulnerabilities.
A proposal needs to be created to bring to the TSC to address how to work-through the known vulnerabilities and relate it to the project release plan.
JIRA project for issue prioritization: https://jira.onap.org/projects/SECCOM/
Nexus IQ/Sonatype LCM is ready for use and the results can be made available.
...
https://github.com/linuxfoundation/cii-best-practices-badge
This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes.
Also look at:
- https://wiki.opnfv.org/display/security/Security+Home
- https://wiki.opnfv.org/display/security/Opnfv-security-guide
...
Done.
The security subcommittee recommends a gold level.
Included in the S3P recommendations.
...
Identify and propose a process for static vulnerability scans
Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Development
...
Proposed architecture and proposal for handling credentials in ONAP
Information can be found on: https://wiki.onap.org/display/DW/ONAP+security+Recomendation+Development
...
Started
Need to comlete the requirements.
If you want to be involved, please contact Stephen.terrill@ericsson.com Pawel Pawlak or Amy Zwarico
Note: if you would like to change the contents of this site, please contact Stephen Terrillcontact Pawel Pawlak or Amy Zwarico.