Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of April 2020.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Zoom security issues | Orange team will be banned next week to use zoom due to security reasons. AT&T is not using zoom for internal business - but ONAP is treated as open source, so zoom is allowed. In Samsung zoom can be used by exception. Zoom for the next 90 days will focus on fixining vulnerabilities and not delivering new features. Amy shared the link to blog with description of zoom vulnerabilities. Bad cryptography is one of the biggest issues as of today for zoom. | It is crucial to apply all the updates coming from zoom with vulnerabilities fixes. We continue using our new zoom! | ||
| Latest feedback received from Integration team | Morgan shared following feedback:
| For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification. | ||
| Virtual ONAP event |
| We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation. | ||
| Guilin package upgrade proposal. | Availble here. Under restricted access Wiki information about direct dependency vulnerabilities and recommended upgrade version is provided per repository. Additionally status column should reflect actual status of the upgrade process. Priority 1 is the highest and reflects critical vulnerabilities for upgrade. Priority 2 reflects severe level vulnerabilities. Each project will have all the info in one place under its dedicated Wiki. Per each project there will be ajira ticket open with link to the Wiki. In some cases we will not eliminate all vulnerbilities but we will significantly reduce them. CLAMP is the first project without any direct vulnerability - congratulations to Martial and project team! | |||
| Jira report update | Report is available here. OJSI-145 on the whitelist - to be checked why. 3 issues from SDC, one issue from VES colector blocked by some integration testing. For VNFSDK - whu they still exposing JDWP? OOM made a really good progress with passwords removal around MariaDB-galera. Morgan reprts scan results of the current ONAP instance. We expect hash commit for removing the vulnerability for transparency. | Message to be shared with PTLs. | ||
| New zoom bridge for SECCOM | Kenny shared good news. We have a dedicated zoom for SECCOM purposes. | |||
Service Mesh risk analysis – meeting summary available here | Service mesh requirements from security perspective followed by risk analysis. Logging was discussed with special focus on Fluentd. Fabian created a platform for service mesh. UDP not supported in service mesh? | UDP support in service mesh - to be further elaborated. Link provided by Krzysztof https://istio.io/docs/ops/configuration/traffic-management/protocol-selection/ | ||
| Images | Lacking image for Go. Ubuntu 18.04 LTS. CoreOS used by ETCD. ETCD is used by MultiCloud. But the point was to update CentOS version. Tool that could be used for drawing graphes for a single image and manage to merge them into a single one. | |||
| Hackathon for https | Self-signed tls certificates to be used around begining of the release. Same methodology to be used by all projects. by M1 support for https, then Hackathon organized and by M2 everyone is integrated with AAF. | |||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF APRIL'20 |