ONAP Security Meeting 2018 07 25 Agenda Topics

ONAP Security Meeting 2018 -07 -25

Agenda Topics General Agenda topics are driven from Jira. Security sub-committee Jira Kanban board: https: //jira. onap. org/secure/Rapid. Board. jspa? rapid. View=103 As viewed in the security sub-committee coordination page: https: //wiki. onap. org/display/DW/ONAP+Security+coordination 2

Agenda • Status Updates: - Silver badging: Static Code Scanning (Pawel) Silver badging: Code Coverage (Arul Nambi) Silver badging: [SECCOM-53] Cryptographic signing [SECCOM-10] Security for 5 G use cases (Linda) AAF documentation: certificate management and fine grained authorization (Pawel) Risk Assessment (Pawel) VES security: VNF DCAE (Alok, will provide VNF requirement) Secure communication when using ISTIO [SECCOM-22] VNF Security Requirements [SECCOM-26] NORAD Update • Topics - Pluggable Authentication (Andrew) - Documenting ONAP security architecture (discussion) - Site Cleanup • JIRA walkthrough and Update • A. O. B 3

Status Updates • Silver badging: Static Code Scanning (Pawel) - Opened tickets with Synopsys – waiting for additional from LF LF ticket – Need to have in place by M 3, August 23 Recommendation: If possible, address blocker vulns for Casablanca; for Dublin must fix blocker and critical, document false positives • Silver badging: Code Coverage (Arul) - Inventoried languages - Piloting js code coverage; need to pilot clojure, C/C++ (one project), golang (one project), erlang (one project) - Having trouble finding pilot projects to test other languages; need PTLs to step up; bring up at the TSC meeting tomorrow; Python now supported in SONAR • Silver badging: [SECCOM-53] Cryptographic signing • [SECCOM-10] Security for 5 G use cases (Linda) • AAF documentation for certificate management and fine grained authorization (Pawel) 4

Status Updates • Risk Assessment (Samuli, Pawel) - Second meeting on 7/24; next meeting 7/31 - Open items: Sharing all vulns, restrict some information • Keep vulns private until assessment and mitigation: • current production release – make the vulns known • current release under develop – do not have to publicize • reacting to reported vulnerabilities: follow the wiki page; fix link to Linux kernel • Ensure no discrepancy between CII reqt and wiki reqt for remediating vulnerabilities • Need to review membership on onap-security mailing list • Need a pre-disclosure group that tests fixes - CII badging: logging and CLI, some requirements not applicable • • VES security: VNF DCAE (Alok will provide VNF requirement) Secure communication when using ISTIO [SECCOM-22] VNF Security Requirements [SECCOM-26] NORAD Update 5

Pluggable Authentication • 11 July notes - Completing the design on impacted components - Sidecar implementation: on target for A&AI; implementing for K 8 s deployment, need a contributor to create the HEAT deployment; Helen volunteered to help • Presentation of sidecar design and impacted components 6

Documenting ONAP security architecture - We need a clear way to document the ONAP security architecture • There is a basis in Beijing: https: //onap. readthedocs. io/en/beijing/submodules/aaf/authz. git/docs/sections/architecture /security. html Access to allowed data only Certificates Secure communication Authentication & authorization “using” External components Allowed Requests Component 2 Component 1 Secure communication Authentication & authorization Certificates Secure communication “Used” External components 7

New Business 8