Versions Compared

Old Version 3

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolutionHonolulu non functional requirements - presentation to Requirements Subcommittee 

SECCOM requirements were presented on 26th of  October. 

  • Continue packages upgrades in direct dependencies (REQ-439)
  • Continue Java (REQ-438) and Python migrations (REQ-437)
  • After Service Mesh PoC - new requirements might arrive.
  • Harbor requirement. In Harbor:
    • you can sign the image and you can share the key with an application that has an account to pull or to push the image
    • possibility to scan the image all the time and send warning
    • Harbor deployed in run time while Whitesource and Nexus-IQ during the development.
  • Logs management:
    • common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release) – Honolulu requirement (REQ-441)
    • common format for data - format of minimum data that we want that is useful (target for Istambul release)
  • SIEM integration (REQ-464):
    • integration like for the other applications with SIEM, have the same protocol used
    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
    • alarms when security issue
  • CII Badging: (REQ-443), Focus on Application Security questions:
    • Crypto Credentials Agility – ½ od apps in met and almost half not yet answered
    • Implement Secure Design – 1/3 of projects did not answer
    • Crypto Weaknesses – tests to be applied (3 including Morgan)
  • HELMv3 migration (REQ-442)
done

Prioritization will be done by TSC.

With Fabian we made a SIEM requirement.  

CLAMP for flows documentation provided by Pierre.

It is clear for Fabian but insufficient.ongoingOffline exchanges to be organized next week  on (4th of November?) between Fabian and Fabien/Pierre.Harbor integration

Requirements for Harbor to be provided to Jessica and use Jenkins sandbox.

Internal meetings to be organized by Fabian with his team and come back to SECCOM with 2 features utilization idea:

  • use of Trivi to san the images
  • sign the image with Notary
in standby

Secrets management

View file
nameONAP_secrets_management.pptx
height150

Which secrets are specified during the deployment - to be addressed with operators.

ongoing

Script must be written to collect requested information on secrets used.

Looking at CII Badging answers in this area.

ONAP security requirements was also covering this area (master keys).

Krzysztof to be contacted as Samsung team worked on this topic in the past.

Amy to check Sonatype outputs in this area.


Flow matrix

Discussion point: Natacha initiated Wiki page: 

Flow matrix guidelines UNDER CONSTRUCTION 

ongoing

Guilin version highlights 
  1. Packages upgrades progress 
  2. Java (v8 → 11) and Python (v2.7 → v3.6) migrations
  3. Progress in packages not running as root - decrease
  4. Migrations to https as dafault best practice
ongoingIdeas to be further shared by SECCOM team.

SECCOM requirement for ONAP maintenance release"Any critical, severe or high vulnerability found in the code written by the project team MUST be fixed within 60 days or prior to the inclusion of the project in a new release, whichever occurs first"doneNo specific comments received from SECCOM.

Harbor integration follow-upErrors with demo server experienced by Jess. ongoingTo be further checked on Harbor with exchanges between Fabian and Samuli.

Whitesource configuration to Do we recomment to run Whitesource next to Nexus-IQ? We have to choose one. We might want to evaluate both for a Honolulu time frame to recommend the final one. One of the criterias could be possibility to export CVEs into the excel file.ongoingWe recommend trial period to run both tools to compare and recommend the ultimate one.

Java and Python latest scansJava and Python upgradeThere is abuild time test that checks the images to see if they have Python 2 (interpreter) 115 vs. 61 (Pythons 3) or Java 8 (runtime) (63 vs. 55 in Java 11) included in the image. We still have lots of components that have those in their image. 

Problem statement:

It does not answer the question whether projects are using now only Python 3 and Java 11. In multiple cases people are using custom images and simply did not remove Python 2 and Java 8 as not used.

Standard image does not have old versions in it, we shall push projects to use standard image for Honolulu release and if from some reason they need to run custom image, they must remove what they do not use.

Amy will reach out Pawel W. to run some additional tests.Synch on latest recommended versionsSome projects made a great job , some did nothing. We shall push TSC for prioritization of this task.ongoing

Amy had exchanges with Pawel W. 

Scripts updates are needed.

Base images would not use

Wiki to be used for results posting - David to be contacted by Amy.

E-mail to be sent to onap-discuss on that by Amy.  


Honolulu non functional requirements 

SECCOM requirement provided after the deadline (16th of October):  

  • SIEM integration (REQ-464):
    • integration like for the other applications with SIEM, have the same protocol used
    • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
    • alarms when security issue
done

Prioritization will be done by TSC.

With Fabian we made a SIEM requirement.  


OOM testsWeak cyphers could be tested.
To be follow-up with OOM team - Amy and Tony to discuss togetherCII badging requirementRequirement to be updated.ongoingTony to update Jira Epic.

CII Dashboard3 projects that are silver now:, and even one of those projects is 65% of gold (VVP) and 2 other are at 57 % of gold (Policy) and AAF, CLAMP is 96% silver and over 40 % gold. ongoingProgress was made.SIEM requirement

To be added as it is mature:

Implementation is done to identify events that compromise the system.

This information feedback is done because only an intervention can stop this risk.

The events are logged and according to rules have intervened according to the risks.

External system must be use to save and display the log

Secure protocol  must be use to transfert the log between ONAP and external system

doneto be shared with the next PTLs call.


OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 3rd 10th OF NOVEMBER'20. 

Secrets management by NatachaHarbor discussion.




Recording:

View file
name2020-11-03_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2020-11-03 ONAP Security Meeting - AgendaAndMinutes.pptx
height150