You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 22nd of March 2022.

Jira No
SummaryDescriptionStatusSolution

Updates to Secure Design Questionnaire - Maggie

Know Secure Design 

Just wording change:

  1. This requires understanding the following design principles, including the 8 principles from Saltzer and Schroeder
  1. Might be better to say something like “This requires understanding the secure design principles, including the 8 principles from Saltzer and Schroeder:” 

Larger comment 

  • Those all sound like solid principles. If you wanted to tie this to current USG activities, there is NST’s Secure Software Development Framework (SSDF).  
  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf + https://csrc.nist.gov/publications/detail/sp/800-218/final 
  • This document highlights a core set of high-level secure software development practices. 
  • For example, for their “Produce Well-Secured Software”, they bring up the suggestion of using forms of risk modeling for assessing the security risk and using standardized security features and services instead of creating proprietary implementation. (It’s just talking at a slightly different level than the Slatzer and Schroeder list) 

Implement Secure Design 

  • Our experience has taught us the criticality of documenting the secure design practices and software design/coding standards and code review. The SSDF also provides additional details. 

Crypto Call – Generic 

  • Maybe there should be guidance on how to use specifications on implementing secure crypto functions 

Crypto Random - Generic 

(NIST SP 800-90C)

90C is about putting various pieces together (entropy source and the "pseudo-random number generator" PRNG). 90A has the PRNG algorithms. 90B has testing requirements for entropy sources.

ongoingUpdate to be incorporated by Maggie into the existing Wiki: 

https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template


Out of band planning for issues and topics, technical debt

Target of 10-20% of development capacity on technical debt. This should be discussed at the planning meetings.

El-Alto release was focussed on technical debt. Now we have Global Requirements implemented and reviewed compliance every release.

We first focussed on Java and Python upgrades, but also to take all of the interfaces to support HTTPs, upgrade direct dependencies, or Sonarcloud findings that are security related that are critical to be fixed. Other activity is code quality improvement.

ODL allignement is managed by Dan who does the upgrade based on what is available on ODL side.

Mainly requirement coming from security point of view are the recurring ones (every 6 months cycle), except for code quality improvement requirement.

Log4j was a good example of out of band planning, extraordinary event that we responded.

started

Code quality gate 

Meeting with Seshu planned by due to calendar issue it will be moved to next week.

How to turn-on/off Jenkins job example: Enabling Jenkins job sonar-verify

CPS blocks the code if did not pass quality gate.

3 quality gates considered.




Sonartlinthttps://www.sonarlint.org/ - real time information about code quality.


Istanbul Maintenance Release Notes

Tickets were opened by Pawel for remaining transitive dependencies on per relevant project basis:




ONAP Security Review Questionnaire template first cut – Tony 

We move discussion on 22nd of March

https://wiki.onap.org/display/DW/ONAP+Security+Reviews
https://wiki.onap.org/display/DW/ONAP+Security+Review+Questionnaire+Template

Maggie will present comments.


We book the agenda for next SECCOM.

ONAP Jakarta: Vulnerable Package Upgrades - Amy

DCAE had 35 dependencies to update and upgraded all but one. Nexus-Q is identifying transitive dependencies ad direct ones and there is a fix that is under Jess responsibility.

AA&I upgraded more than half of its packages.




SBOM synch meeting with Jess 

Issue with Maven plugin -bug in the instructions, Jess will try it. 

trivy in now available for SBOM
https://aquasecurity.github.io/trivy/v0.24.2/advanced/sbom/cyclonedx/


To verify with Jess the status update.

PTL meeting

Update on Vulnerable Package Upgrades




TSC meeting

Remaining transitive dependencies in Istanbul Maintenance




SECCOM MEETING CALL WILL BE HELD ON 29th OF MARCH'22. 

5Y review criteria.

SonarCloud fixing with new code focus.

Quality gates for code quality improvements - continuation of the discussion.





Recording: 


SECCOM presentation:








  • No labels