ONAP Security coordination

Created by Stephen Terrill, last modified on Sep 13, 2017

You are viewing an old version of this page. View the current version.

This is a wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP.

This covers both the organizational setup and the operations of the onap security subcommittee.

ONAP security organization

The ONAP security work is split into two parts. The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.

Vulnerability management.

Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability. The process is initiated by the reception of an email to security@lists.onap.org. The vulnerability management procedures can be found here: ONAP Vulnerability Management.

The vulnerability management procedures are executed on by the vulnerability management sub-committee.

ONAP security sub-committee

The ONAP security sub-committee identifies and creates proposals related to security in ONAP. As one example, it has created the proposal for the Vulnerability management procedures which are now in effect. The ongoing efforts of the ONAP security sub-committee are now to explore more proactive security activities.

The email address for the onap sub-committee is:onap-seccom@lists.onap.org with information on how to subscribe found here: onap security sub-committee email subscription.

The ONAP security sub-committee meeting logistics are:

Time: Wednesday 15:00 - 16:00 Central European time [ 6AM - 7AM PST]
Zoom details:https://zoom.us/j/793296315
Or iPhone one-tap (US Toll): +16465588656,793296315# or +14086380968,793296315#
Or Telephone:
Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
Meeting ID: 793 296 315

International numbers available: https://zoom.us/zoomconference?m=Meh_TwQwIDnJKy9MU9R_A8hFaAUbegBa

------------------------------------------------------------------------------------------------------------------

ONAP Security sub-committee Operations

Agenda for next meeting:

Information Update
Credential protection and management
CII Badging
Vulnerability management
Code Scanning
Prep for adhoc ??
DMaaP received question
September Dev Event
AOB

Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com)

item A

Backlog

Identified activity	Activity Description	Status
Creation of a Vulnerability Response Team	Creation of a proposed draft of the vulnerability procedures to follow when a vulnerability is identified, and the follow-up process. Review in team when ready, propose to TSC Examples from other communities are: https://wiki.fd.io/view/TSC:Vulnerability_Management ; https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046 https://wiki.opendaylight.org/view/Security:Vulnerability_Management Process we will follow is use the fd.io as a template and adapt it to onap. The draft work will be found here: ONAP Vulnerability Management Secure candidates of the security response team (to identify severity and where the problem might be, coordinate and bring in the experts). looking for 3-5 people that has a Knowledge of 1. process, 2. security expertise & drive/coord, 3 sufficient knowledge of code.	Done. Activity Closed.
Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP	There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect potential issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. https://www.sonatype.com/intelligence-automation https://scan.coverity.com/
Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval.	https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. Also look at: https://wiki.opnfv.org/display/security/Security+Home https://wiki.opnfv.org/display/security/Opnfv-security-guide	Ongoing The security subcommittee recommends a gold level. A discussion ongoing about for the release or attatch to the project maturity.
Identity primary relevant legislation stds to be considered.	Identify the main security standards etc that are related to regulatory requirements. This would be for awareness.
Static Vulnerability Scans.	Identify and propose a process for static vulnerability scans	Started

If you want to be involved, please contact Stephen.terrill@ericsson.com

Note: if you would like to change the contents of this site, please contact Stephen Terrill.

No labels

Space shortcuts

Page tree

ONAP security organization

Vulnerability management.

ONAP security sub-committee

ONAP Security sub-committee Operations