This is a wiki page that captures the intent and planned/ongoing actions for the support of security coordination in ONAP.
This covers both the organizational setup and the operations of the onap security subcommittee.
ONAP security organization
The ONAP security work is split into two parts. The management of identified vulnerabilities, which is handled by the vulnerability management sub-committee and the coordination and identification of necessary security related activities which is handled by the security sub-committee.
Vulnerability management
Vulnerability management covers how to handle the reception of an identified vulnerability through to solution and communication of the vulnerability. The process is initiated by the reception of an email to onap-security@lists.onap.org. The vulnerability management procedures can be found here: ONAP Vulnerability Management.
Release Vulnerabilities
This lists the vulnerabilities reported for each Release.
ONAP security sub-committee
The ONAP security sub-committee identifies and creates proposals related to security in ONAP. As one example, it has created the proposal for the Vulnerability management procedures which are now in effect. The ongoing efforts of the ONAP security sub-committee are now to explore more proactive security activities.
The email address for the onap sub-committee is:onap-seccom@lists.onap.org with information on how to subscribe found here: onap security sub-committee email subscription.
The ONAP security sub-committee meeting logistics are:
- Time: Tuesdays 1 PM UTC time
- Zoom details:
https://zoom.us/j/92415036769?pwd=d0NiYXJPaGd0UEV3N3pUSE1HYUJDQT09
- Or iPhone one-tap (US Toll): +16465588656,793296315# or +14086380968,793296315#
- Or Telephone:
- Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
- Meeting ID: 924 1503 6769
International numbers available: https://zoom.us/zoomconference?m=Meh_TwQwIDnJKy9MU9R_A8hFaAUbegBa
------------------------------------------------------------------------------------------------------------------
ONAP Security sub-committee Operations
General Meeting Agenda:
- Information Update
- Topics to advance
- Walkthrough identified items to suggest.
- Backlog update and review
- Update or add item backlogs
- For coming meeting:
- Agree topics for the next meeting
- AOB
Requested Agenda Items: Please feel free to add topics here that you would like to have on the agenda (or send an email to stephen.Terrill(at)ericsson.com).
- item A
Security sub-committee recommendations can be found here: Security Sub-Committee Recommendations
JIRA project for issue prioritization: https://jira.onap.org/projects/SECCOM/
If you want to be involved, please contact Pawel Pawlak or Amy Zwarico
Note: if you would like to change the contents of this site, please contact Pawel Pawlak or Amy Zwarico.
5 Comments
Catherine Lefevre
Hi Stephen - I would like to suggest a couple of things:
This tool could be useful to ensure that we are not integrating any open source released under GPL, Commercial licenses, etc.
https://www.fossology.org/
I have not yet found a similar security open source product.
https://www.checkmarx.com/Open-Source-Analysis
Stephen Terrill
Hi Catherine,
Thanks for the valuable suggestions. First up I think we need to get then vulnerability procedures in place (which is reactive) then look into the more proactive activities like you have suggested. This will be taken into account when doing so.
Regards,
Steve
Zygmunt Lozinski
The Core infrastructure Initiative focuses on the process we should use to ensure code does not have identified security issues. That is one part of the problem.
We also need to recommend design and implementation guidelines on how to do this. Sometimes described as Secure Engineering, or Secure by Design. Some guidelines are generic and some language-specific.
The OPNFV Securecode is one possible example (there are others, eg Deutsche Telekom's published security and provacy guidelines), the direct links are:
https://wiki.opnfv.org/display/security/Securecode
https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/security/privacy-and-security-assessment-process-358312
Catherine Lefevre
May I ask you to consider the "Authentication and Authorization Framework" as a project to meet some Security requirements? Thank you
Yury Novitsky
It looks like the "Authentication and Authorization Framework" (AAF) is vital to solve the security issue raised here: Re: Installing and Running the ONAP Demos