Page History

Versions Compared

Old Version 5

changes.mady.by.user Stephen Terrill

Saved on May 14, 2017

compared with

New Version Current

changes.mady.by.user Kenny Paul

Saved on Mar 08, 2022

Key

This line was added.
This line was removed.
Formatting was changed.

Image AddedImage AddedThis is a

...

wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP

...

Ongoing at the moment is to list the activities that should be initiated. If you want to be involved, please contact Stephen.terrill@ericsson.com

Contact names, contributing to this:LEVY, DONALD E <dl2378@att.com>; Krec, Michael <michael.krec@bell.ca>; Zygmunt Lozinski <zygmunt_lozinski@uk.ibm.com>; Don Clarke <D.Clarke@cablelabs.com>; Sood, Kapil <kapil.sood@intel.com>; Andreas Ljunggren <andreas.ljunggren@ericsson.com>; Phil Robb <probb@linuxfoundation.org>; ZWARICO, AMY <az9121@att.com>; Evgeny Zemlerub <EVGENYZE@amdocs.com>; David Jorm <david.jorm@gmail.com>; Stephen Terrill Stephen.terrill@ericsson.com; Igor Faynberg <i.faynberg@cablelabs.colm>

...

Creation of a proposed draft of the vulnerability procedures to follow when a vulnerability is identified, and the follow-up process .(David)
- Review in team
- when ready, propose to TSC
Secure candidates of the security response team (to identify severity and where the problem might be, coordinate and bring in the experts). looking for 3-5 people that has a Knowledge of 1. process, 2. security expertise & drive/coord, 3 sufficient knowledge of code.

...

There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue.

https://www.sonatype.com/intelligence-automation

https://scan.coverity.com/

...

https://github.com/linuxfoundation/cii-best-practices-badge

This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes.

This covers both the organizational setup and the operations of the onap security subcommittee.

ONAP security organization

The ONAP security work is split into two parts. The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.

Vulnerability management

Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability. The process is initiated by the reception of an email to onap-security@lists.onap.org. The vulnerability management procedures can be found here: ONAP Vulnerability Management.

Release Vulnerabilities

This lists the vulnerabilities reported for each Release.

ONAP security sub-committee

The ONAP security sub-committee identifies and creates proposals related to security in ONAP. As one example, it has created the proposal for the Vulnerability management procedures which are now in effect. The ongoing efforts of the ONAP security sub-committee are now to explore more proactive security activities.

The email address for the onap sub-committee is:onap-seccom@lists.onap.org with information on how to subscribe found here: onap security sub-committee email subscription.

The ONAP security sub-committee meeting logistics are:

Time: Tuesdays 1 PM UTC time
Zoom details:
https://zoom.us/j/92415036769?pwd=d0NiYXJPaGd0UEV3N3pUSE1HYUJDQT09
Or iPhone one-tap (US Toll): +16465588656,793296315# or +14086380968,793296315#
Or Telephone:
Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
Meeting ID: 924 1503 6769

International numbers available: https://zoom.us/zoomconference?m=Meh_TwQwIDnJKy9MU9R_A8hFaAUbegBa

------------------------------------------------------------------------------------------------------------------

ONAP Security sub-committee Operations

General Meeting Agenda:

Information Update
Topics to advance

Walkthrough identified items to suggest.

Backlog update and review
- Update or add item backlogs
For coming meeting:
- Agree topics for the next meeting
AOB

Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).

item A

Security sub-committee recommendations can be found here: Security Sub-Committee Recommendations

JIRA project for issue prioritization: https://jira.onap.org/projects/SECCOM/

If you want to be involved, please contact Pawel Pawlak or Amy Zwarico

Note: if you would like to change the contents of this site, please contact Pawel Pawlak or Amy Zwarico.

...

Space shortcuts

Page tree