ONAP Security Meeting 2018 10 10 Agenda Topics

  • Slides: 6
Download presentation
ONAP Security Meeting 2018 -10 -10

ONAP Security Meeting 2018 -10 -10

Agenda Topics General Agenda topics are driven from Jira. Security sub-committee Jira Kanban board:

Agenda Topics General Agenda topics are driven from Jira. Security sub-committee Jira Kanban board: https: //jira. onap. org/secure/Rapid. Board. jspa? rapid. View=103 As viewed in the security sub-committee coordination page: https: //wiki. onap. org/display/DW/ONAP+Security+coordination Note: Jira has been “updated” to an aligned ONAP way of working. - A flow will be produced. 2

Agenda • Status Updates: - Risk Assessment (Samuli//Pawel) VNF Security Requirements Feedback Static Code

Agenda • Status Updates: - Risk Assessment (Samuli//Pawel) VNF Security Requirements Feedback Static Code Scanning CII badging – Code of conduct Security F 2 F • Topics - Jackson Replacement CADI/ISTIO Side Car – how to move forward Review of known vulnerabilities – review update of what is done Walkthrough and review of updated CII Badging guide. Vulnerability management process – Review comments. (Pawel/Robert) ONAP Casablanca Security Testing requirements (seccom-58) – discuss ONAP security Users guide • JIRA walkthrough and Update • A. O. B 3

Secure Communication CADI side care and ISTIO • How to move forward - I

Secure Communication CADI side care and ISTIO • How to move forward - I think that we need a task to look into this - Any volunteer to take this on? • Problem Description: - With ISTIO gaining traction, what is the directional recommendation for how to provide secure communication, authentication and role based authorization leveraging CADI/AAF. 4

Security F 2 F an addition to the Risk Assessment, there is decent amount

Security F 2 F an addition to the Risk Assessment, there is decent amount of work left to be done: • The current table of risk items should be reviewed like you write, but even complemented still with more items. • Then the next step is evaluation of risk levels (probability & impact). • And finally to create backlog items for relevant projects, starting from the highest risk items. Relation between vulnerability and release passing the gates To clarify the importance of vulnerability management and its impact on passing the project release management gates. To study the relevance to link the release management and the vulnerability management processes. Vulnerability Management process review The goal is to ensure that the process is completed (lack of TBD items, added workflow and other comments coming from Robert) and well known by security subcommittee members and other ONAP members (at least PTLs). A follow-up per project could be considered in order to encourage them to make progress, or at least a Dashboard in order to have a clear overview. Risk Assessment review Review by community the table developed during series of risk assessment meetings and discussion on questionnaire proposed by Robert to identify risks from projects with closed questions types. API security To review existing recommendations and focus on missing part. ETSI has published recommendations on API security, and could be a useful contribution. CII Badging silver To handle and highlight updates for silver level. CII Badging update proposal To review proposals made for CII badging based on our risk assessment exercise. First step back of the ongoing risk assessment process, and then brainstorming regarding potential additional questions. Review of Casablanca priorities and Dublin priorities Review of the backlog for Casablanca and self-assessment of deliverables produced + focus on priorities for Dublin release- identification of tasks and their owners/leaders. MSB security requirements As MSB is crucial communication medium, it is very important to review its communication security aspects and to ensure that the transactions exchange between the different components are reliable. 5

Meeting Notes • Security for 5 G Use. Case - Linda has sent out

Meeting Notes • Security for 5 G Use. Case - Linda has sent out an update to reflect the two outstanding issues. • - It seems that the feedback is the proposed updates are OK. TSC Discussion required for how to progress the work and feed it back. • AP: Stephen • Risk assessment - Questions about plans for hashicorp-vault • VNF Security Requirements Feedback - Discussions ongoing. The bulk of the topics have been taken. Another meeting planned. Summary into seccom next week. • AAI meetings. Discussing replacement options for Jackson file. - Keon & Tian Lee. presented an investigation into replacement of the Jackson file that has vulnerabilities that are not being addressed. There is alternatives, and a bit of filtering based on intelligent criterial ( health of community, etc). It requires replacing specific code snippets that calls the Jackson library. And other imports that depend on that. It was favouring gson. Since AAI uses springboot, and springboot relies on Jason, Tian tried out using springboot with gson instead, and it seemed possible with configuration only. • • - An aception was on the healthcheck onpoint functionality with the actuator. Recomending a “Cap and grow” strategy where new functions use gson. Take to PTLs and virtual F 2 F. https: //wiki. onap. org/display/DW/Using+Google+gson+vs+Faster. XML+Jackson • Vulnerability management process – Review comments. (Pawel/Robert) - Call for a mtg to review and proposed updates. - Bring back to SECCOM. - Bring back to TSC for re-approval. 6

ONAP Architecture Overview Template ONAP Architecture Review ONAPONAP Architecture Overview Template ONAP Architecture Review ONAP
ONAP CLI Kanagaraj Manickam ONAP CLI PTL ONAPONAP CLI Kanagaraj Manickam ONAP CLI PTL ONAP
ONAP Security Meeting 2018 08 15 Agenda TopicsONAP Security Meeting 2018 08 15 Agenda Topics
ONAP security meeting 2018 03 14 Agenda topicsONAP security meeting 2018 03 14 Agenda topics
ONAP security meeting 2018 01 30 Agenda topicsONAP security meeting 2018 01 30 Agenda topics