...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes, the majority of the CPS team & PTL are aware of security best practices and are experienced in mitigation and vulnerability resolution. |
Implement Secure Design
Do the committers and PTL apply secure design principles when reviewing software for merging?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes CPS team/PTL/committers review and look for security issues and recommend fixes before merging. |
Know Common Errors
Do the committers and PTL understand commonly found errors (and how to counter or mitigate them)? Do they apply these principles when reviewing software for merging?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| Yes, the CPS team & PTL are aware of common security risks and how to mitigate them. There is are also security checks in our CI pipeline |
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We do have clear text default credentials in our docker-compose files if not provided (Only used for testing)The user should . The users of CPS are expected to override credentials and strategy strategies around these these. |
Security Documentation
Documentation Architecture
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
| Yes, CPS architecture doc documentation can be found @ https://docs.onap.org/projects/onap-cps/en/latest/architecture.html |
...
| Your Answer-Please Describe | SECCOM Feedback / Recommendations |
|---|---|
None available. |
Assurance Case
Does your project actually meet its documented security requirements?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
Our application expects (any) client to upload models and data | from NEs... are these trusted?
Hardening
to be stored. These models and data are validated via OpenDayLight Yang parser. These are only stored once the parser accepts that it is valid and returns an exception for invalid models and data. |
Hardening
Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?
...
| Your Answer-Please Explain | SECCOM Feedback / Recommendations | Need to discuss from java/RESTful viewpoint|
|---|---|---|
CPS does not have a UI and does not use javascript The application uses Swagger for RESTful API, wherein it is set that Authorization headers are required for accessing API documentation. |
Cryptographic-specific Software Questions
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
CPS does generate random UUIDs for notifications. CPS uses These UUIDs are generated via the built in java libraries (java.util.UUID)for UUIDs. |
Crypto Weaknesses
Does your software depend on any cryptographic algorithms or modes that have known serious weaknesses?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| No, we don'tCPS does not generate any keys |
Crypto Algorithm Agility
Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
| We have CPS has not switched to HTTPS . We are planningbut the plan is to switch usingto enabling service mesh which should take care of HTTPS/TLS encapsulation. There has been a POC created as part of this plan. ** |
Crypto Credential Agility
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | No we don't |
|---|
Crypto TLS1.2
| CPS does not store or save authentication credentials, the only information saved by CPS is data and models either via client's input or initial input from the application start up. |
Crypto TLS1.2
Does your software support HTTPS? If so, is the Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | ||
|---|---|---|---|
CPS has not switched to HTTPS | . We are planning but the plan is to switch | using service meshto enabling service mesh which should take care of HTTPS/TLS encapsulation. There has been a POC created as part of this plan. ** |
Crypto Used Network
Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations | |
|---|---|---|
CPS only communicates with components within ONAP | . CPS's only communication is through HTTP. CPS uses KAFKA, as a listener in KAFKA we use PLAINTEXT communication, which is also KAFKA's default for communication. |
Crypto Verification Private
...
| Your Answers-Please Explain | SECCOM Feedback / Recommendations |
|---|---|
We have CPS has not switched to HTTPS . We are planning but the plan is to switch using service meshto enabling service mesh which should take care of HTTPS/TLS encapsulation. There has been a POC created as part of this plan. ** |