2022-05-10 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of May 2022.

Summary	Description	Status	Solution
LFN Developer & Testing Forum	Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/	started
	SECCOM topics proposal: SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals : Global Requirements and Best Practices Security PoCs: logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update Unmaintained projects joint meeting with Amy, Thomas and Andreas, Chaker and Byung. On the road to gold badge - Tony and Toine - potential issue with remote participation for Tony. Operator perspective on ONAP security – Amy, Andreas? Brian? Fabian? Security principles in the implementation – Tony, Maggie - work in progress, risk to deliver for one of next conference.	started	Remaining topic proposals to be submitted. Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration. Fabian to check if could contribute on how qualify software to be deployed, what duediligence was performed. Follow-up with Kenny to be done.
OSA documentation update per release	Thomas asked for a branch to be created for Jakarta	started	Pawel to be done.
Last PTLs meeting – 25th of April	ONAP unmaintained and deprecated functions – Amy – presentation of updated version at PTL yesterday RACI matrix by Muddasar – waitig for a feedback from PTLs and Chaker Update on failing security tests below: Synch with OOM: Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/18_06-28/ and Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-04/18_00-27/ latest run by Michal for the weekend Failing security tests: fix nonssl_endpoints in Jakarta release: 1.SDC-3954 - open 2.SDNC-1692 - done 3.OOM-2957 – open – reassigned to Fiachra fix root_pods in Jakarta release: 1.OOM-2958 – open - reassigned to Fiachra 2.INT-2104 – in progress
Last PTLs meeting – 9th of May	Tony presented 5Y project review – CPS volunteered to be PoC and review questionaire.	ongoing	Once Toine completes, we will review the questionnaire. SECCOM to be updated.
Unmaintained Projects	Amy presented to ArchCom and to present to TSC 12 May. Good exchanges with Chaker, Byung: we should make dependency on OOM before removing Jenkins jobs (including projects without PTLs). change to repo to be verified, if no change it means repo was not touched and to be validated by Architecture Subcommittee Updated presentation is available below.		Amy to present at 12 May TSC call. Outline for the yellow to be added.
Update on failing security tests below:	Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/18_06-28/ and Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-05/08_13-23/ latest run by Michal - only 29% for security tests covera Failing security tests: fix nonssl_endpoints in Jakarta release: 1.SDC-3954 - open 2.SDNC-1692 - done 3.OOM-2957 – open – reassigned to Fiachra fix root_pods in Jakarta release: 1.OOM-2958 – open - reassigned to Fiachra 2.INT-2104 – in progress		Security tests taht are performed to be reviewed for test coverage and identification of missing items.
SBOM: patch to add the path for VES	https://gerrit.onap.org/r/c/ci-management/+/128405 Adoption issue requires manual manipulation of workspace flag. Next step to get PTL onboard and set target date when LF IT would implement ONAP projects	ongoing
CPS gold badge	IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP – info from Andrew G. „It's possible but non-trivial at present. I'm working on trying to make a case for making this easier to do as I can get 2FA turned on, but then if people need to change things related to it it would require helpdesk intervention with no self-service. Basically, our current setup is user hostile and could be made significantly better.” IT-23829 Hardening LFN hosted ONAP project web sites – done – info from Andrew G. All 3 Nexus systems for ONAP are now reporting grade A. We'll be taking these changes to our other managed Nexus systems as well, so thanks for the poke to improve our security posturę. We are still working on strengthening the wiki and jira scores. They're already getting an A but both of them are showing some items that could be made stronger.”	ongoing
logging PoC report	Ajay (Ericsson) is working on the connection between FluntBit and ElasticSearch. He is leaving Ericsson end of this week, so some of our OOM team members have key learning sessions with him. I told Ajay to check in his code. We plan to report our log PoC progress/demo to SECCOM sometime soon. That is the plan. Prototype for logging fields.	ongoing	update and demo will be provided - Byung coordinates that.
CPS PoC	Fabian tried to join Seshu. How to move forward: share results of the PoC during PTLs meeting to build awarness, followed by proposal to community. Closed loop for results is a defintely a value for the developer.	ongoing	Outcomes of CPS PoC to be presented in incoming weeks.
NIST 5G Cybersecurity draft document	https://csrc.nist.gov/publications/detail/sp/1800-33/draft	ongoing
Technical debt	Presentation provided by Muddasar: El Alto was first release focusing on technical debt and it was a shorter release.	started	We shall have Jira issues for all technical dept issues to track it. To review last 2 slides ta the next meeting - slides to be shared by Muddasar to SECCOM distribution list - done. One slide to be prepared and then shared with PTLs and architecture subcommitee.
SECCOM MEETING CALL WILL BE HELD ON 17th OF MAY'22.	Review of technical debt slides with special focus on 2 last ones.

Recording:

SECCOM presentation:

22_04_18_ONAPUnmaintainedProjects_v5.pdf

Space shortcuts

Page tree