This is a working page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP. Such actions could create new wiki pages addressing specific issues.
Ongoing at the moment is to list the activities that should be initiated. If you want to be involved, please contact Stephen.terrill@ericsson.com
Contact names, contributing to this:LEVY, DONALD E <dl2378@att.com>; Krec, Michael <michael.krec@bell.ca>; Zygmunt Lozinski <zygmunt_lozinski@uk.ibm.com>; Don Clarke <D.Clarke@cablelabs.com>; Sood, Kapil <kapil.sood@intel.com>; Andreas Ljunggren <andreas.ljunggren@ericsson.com>; Phil Robb <probb@linuxfoundation.org>; ZWARICO, AMY <az9121@att.com>; Evgeny Zemlerub <EVGENYZE@amdocs.com>; David Jorm <david.jorm@gmail.com>; Stephen Terrill
| Identified activity | Activity Description | Status |
|---|---|---|
| Creation of a Vulnerability Response Team |
| |
| Identify a Security-Adit team to audit and oversee remediation of vulnerabilities within ONAP | There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues. The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue. | |
| Go through the process of implementing all the best practices identified in the Core-Infrastructure-Initiative (CII) and receive their "Badge" of approval. | https://github.com/linuxfoundation/cii-best-practices-badge This may identify good practices, which could include guidelines. consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes. | |
| Identity primary relevant legislation stds to be considered. | Identify the main security standards etc that are related to regulatory requirements. This would be for awareness. | |