Versions Compared

Old Version 2

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 15th of February 2022.

Jira No
SummaryDescriptionStatusSolution
TSC update Conditional approval of Jakarta M2

Documented process: ONAP Vulnerability Management

Process for Security review question for the period of last 5 years
 

Scope to be proposed by Tony and Muddasar (with wider E2E coverage). 

Tony provided OpenSSF Badge security review topics (see meeting deck) and email with list of secure design principles from Saltzer and Schroeder

NIST proposal that needs to be reviewed: 

https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

started

Next discussion in 2 weeks time frame.

Pawel to recheck with Catherine for her feedback.

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23423

Log4j upgrade
IT-23622IT-23622 API documentation for SonarCloud (continuation of IT-23519)New ticket was opened as old one was closed by Jess. Reference link provided by Jess points out to the deprecated API documentation ongoingTony to provide his comment under the ticket.
IT-23621Log4j upgrade

Log4j status update – we recommendreleasing Istanbul Maintenancerelease

Following tickets opened:

  • AAI-3431 - AAI status (4 components with log4j) COMPLETE
    • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated
  • DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE
    • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated
  • SDNC-1655 - SDNC status (1 component with log4j) COMPLETE - Latest CLM scans for SDNC-OAM do not contain any version of log4j, so it is removed
    • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.
  • VNFSDK-827 - VNFSDK status (1 component with log4j) COMPLETE - Kanagaraj removedvnfsdk-ves-agent from Istanbul & Jakarta
    • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.
  • Restricted Wiki for Istanbul Maintenance release created
  • CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed
(direct) and document transitive dependencies
  • . CVE is raised for vulnerability discovered in the code.
ONAP CVEs opened so far:
completed

Ticket opened to LFN IT on NexusIQ reporting false positive log4j direct dependencies.

To provide SECCOM recommendation at the TSC for releasing Istanbul Maintenance release.


Process for Security review question for the period of last 5 years
 
  • Tony (slides 8 and 9):
  • Maggie:

(1) OWASP Top 10

(2) BSIMM

(3) Secure Software Development Framework 

  This publication is a little different and is actually geared more for when selecting products and making good choices on deployment across the   enterprise.  However, it does bring up points that we may want to consider addressing across the architecture.

(4) CIS Critical Security Controls

docs
onap
/projects/onap-osa/en/latest/osalist.html
  • Meeting deck includes vulnerable log4j findings from Trivy, Kubescape and NexusIQ scans
    • ongoing

    To check with Jess statuses of the tickets that were recently closed.

    CLM scans per each project to be done by 4th of February.

    SBOM creation Jess created a ticket which is in progress but now occupied with Nexus3 issue.ongoingSecurity logging next steps

    Bob presented phased approach for security logging which was consulted with SECCOM team.

    ONAP Security Event Management

    Meeting time blocked for recurring logging calls on Fridays at 3PM UTC. Email Amy Zwarico or the SECCOM mailing list to be added to the invitation

    ongoingMeeting on Friday at 3 PM UTC to be organized  by Amy to have a working group session with Fiachra, Toine, Sylvain.


    • Muddasar:

    -Security Belts structures activities of the secure software development

    -https://github.com/AppSecure-nrw/security-belts

    -OWASP Devsecops Maturity Model       

    -https://dsomm.timo-pagel.de

    -DevSecOps Platform-Independent Model: Requirements and Capabilities-SEI (FFRDC) Technical report (figure 7)

    -https://apps.dtic.mil/sti/pdfs/AD1152747.pdf

    -ISACA Cybersecurity Maturity Assessment (self-assessment)

    -https://www.isaca.org/enterprise/cmmi-cybermaturity-platform#cmmicp-tabs

    		started

    ONAP 5Y assessment should be a group capability assessment where we stand for the security measures that we have and how we measure it.

    From assessment on per each project level we will get an image of ONAP as a whole.

    Pawel to create criteria's proposal (kind of high level document propsoal) for futher review based on Figure 7.



    Distinction between SCA scans: source code (better) vs. executables.

    Industry best practice is to find 3rd party packages in your code or to generate an SBOM. Having SCA scans against source code provides full information about composition of your application. 

    		ongoing

    		TSC meeting update

    Discussion on alternative ways of packaging CNFs to ETSI SOL (option 2 supported with package signature) and ASD (some extra metadata), need to ensure signing capabilities.

    Istanbul Maintenance -> 17th of February


    		ASD package Wiki: Application Service Descriptor (ASD) Onboarding Packaging Format

    		PTL meeting updateConversation on umnainatined vs. included in the build.


    Unmaintained projects

    JSON file review, what repo to be stored and where. 


    		New repo to be requested by Thomas. 

    		Security logging update 

    https://wiki.onap.org/display/DW/Jakarta+Best+Practice+Proposal+for+Standardized+Logging+Fields

    Some more clarifications planned, naming causing some confusion.

    Good progress.


    One more session (on 25th of February) to complete fields review.

    Next to be reviewed with PTLs.


    		SBOM creation 

    Jess had trouble with polling dependencies from some project. All CLM jenins jobs are failing now.

    We want to make SBOM available to end user.

    We are compliant to MVP for fields for SBOM.

    SPDX 3.0 standard will have an extended field capability (long list of optional atributes) and there will be a new ISO standard associated.

    		ongoing

    		BadgingTony working with David and Dave on getting projects moved from having owner from project and replacing with David for Badging. Some owners gone away... Additional editors do not have rights to remove somebody from the project (can only add additionl people)
    ONAP quality gates 

    Quality asessment mainly for the submitted code (=delta)

    • Integrate tests with CPS
    • SO PoC
    no updateWaiting for a feedback from Seshu
    .


    SECCOM MEETING CALL WILL BE HELD ON 22nd OF FEBRUARY'22. 

    Quality gates for code quality improvements - continuation of the discussion.

    SBOM next steps - status update with DCAE.





    Recording: 

    View file
    name2022-02-15_SECCOM_week.mp4
    height150


    SECCOM presentation:

    View file
    name2022-02-15 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150