You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

Location: Warsaw, Poland

Zoom Bridge: https://zoom.us/s/641966405 

One tap mobile +16465588656,,641966405# US (New York) +16699006833,,641966405# US (San Jose)
Dial by your location: +1 877 369 0926 US Toll-free  +1 855 880 1246 US Toll-free
Meeting ID: 641 966 405
Find your local number: https://zoom.us/u/afKvl26PD

Recommended Hotels

  • Westin (5 star rating)

  • Golden Tulip  Warsaw Centre (4 star rating)

  • Hilton (5 star rating)

  • Intercontinental (5 star rating)

  • For people with limited budget: Hotel Campanile Warszawa (3 star rating)

Proposed Agenda

TimeTopicTopDriver/PresenterDescription
28 November


9:00 - 9:15Status of the Casablanca Priorities  (SECCOM-82)Amy

Review the Casablanca security achievements    18_11_28_ONAPCasablancaSecurityPrioritiesStatus.pptx

9:15 - 10:00Outline Dublin Security Priorities (SECCOM-73)Stephen

Create the Dublin security priorities draft to review with seccom and present to the TSC 2018-11-14 Dublin Security - RequirementsV2.pptx

10:00 - 10:30Vulnerability Management Process Review (SECCOM-63)Pawel/Robert

Updates to the vulnerability management process


10:30 -10:45 Break

10:45 11:15Silver CII Badging (SECCOM-79)Amy

Determine the Silver requirements the projects need to focus on for Dublin and the requirements that are met by the overall ONAP processes  18_11_28_ONAPDublinCIISilverRequirements.pptx

11:15 - 12:00

Relationship between vulnerability reviews and release gates

(relates to security by design (SECCOM-75))

Amy

Lessons learned from the Beijing and Casablanca reviews

Enumerate the vulnerability mitigates tasks for each milestone and release candidate. This will help the projects schedule package upgrades, replacements, and the development of compensating controls early in the release cycle. 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx

12:00 - 1:00 Lunch

1:00 - 1:45Vulnerability handling clarifications (SECCOM-74 Amy

Create a simple workflow that will be used to explain the vulnerability remediation and documentation process to the PTLs 18_11_28_ONAPDublinVulnerabilityReviewsAndMilestones.pptx (see page 5)

1:45 - 2:30 API Security (SECCOM-80)NatachaReview the ETSI API security recommendations and requirements
2:30 - 2:45 break


2:45 - 3:00Risk Assessment Review (SECCOM-81)Pawel/Samuli

Review the findings from the risk assessments

Discuss the questionnaire proposed by Robert to help identify risk in projects

ONAP Beijing Security Assessment (DB & Kubernetes)27-11-2018--ONAP-Beijing-Security-Assessment.pptx


ONAP Beijing CIS Benchmark for K8S test: CIS_Kubernetes_1.1.xlsx


Risk Assessment table (still under development and not yet mature): ONAP Risk Assessment table v 0 8.xlsx


3:00 - 4:00 Risk Assessment Overall PlanPawel/Samuli

Define the scope of the risk assessment and the plan to complete the assessment

Focus on some selected areas of risk

4:00-4:15 Break

4:15 -5:00 wrap up

29 November


9:00 - 10:00 1hr ONAP Communication Security RequirementsPawelReview communication security between ONAP components and ensure that the transactions exchange between the different components are secure (Authentication, Authorization, Confidentiality)
10:00 - 10:30Security by design (SECCOM-75)TBD

What guidelines are required to projects and the milestones to place security first and foremost.

  • Project security documentation
  • Project communication policy to OOM
  • Overall ONAP security documentation
  • Test cases
  • No XSS vulnerabilities in GUIs
  • input validation on all GUIs and APIs
  • Test driven development
10:30-10:45 Break

10:45-11:15 Security GuidelinesZygmuntDevelop a plan to document the security of ONAP
11:15-12:30 Discussion and Review  Action ItemsAmyReview the meeting; assign action items
12:30-1:30Lunch

1:30-4:00 Backup if needed
Additional discussions among participants still available

Proposed Topics


  • Relation between vulnerability and release passing the gates
    • To clarify the importance of vulnerability management and its impact on passing the project release management gates. To study the relevance to link the release management and the vulnerability management processes.
  • Vulnerability Management process review
    • The goal is to ensure that the process is completed (lack of TBD items, added workflow and other comments coming from Robert) and well known by security subcommittee members and other ONAP members (at least PTLs). A follow-up per project could be considered in order to encourage them to make progress, or at least a Dashboard in order to have a clear overview. Lessons learned.
  • Risk Assessment review
    • Review by community the table developed during series of risk assessment meetings and discussion on questionnaire proposed by Robert to identify risks from projects with closed questions types.
  • API security
    • To review existing recommendations and focus on missing part. ETSI has published recommendations on API security, and could be a useful contribution.
  • CII Badging silver
    • To handle and highlight updates for silver level.
  • CII Badging update proposal
    • To review proposals made for CII badging based on our risk assessment exercise. First step back of the ongoing risk assessment process, and then brainstorming regarding potential additional questions.
  • Review of Casablanca priorities and Dublin priorities
    • Review of the backlog for Casablanca and self-assessment of deliverables produced + focus on priorities for Dublin release- identification of tasks and their owners/leaders.
  • MSB security requirements
    • As MSB is crucial communication medium, it is very important to review its communication security aspects and to ensure that the transactions exchange between the different components are reliable.
  • Security guidelines
    • Document the security of ONAP


 

  • No labels