Date   

Kubernetes security audit

Pawel Pawlak
 

Hello SECCOM Team,

The Kubernetes project recently completed a security audit, including a review of source code, system design, and live behavior in a test environment.

 

Have a good reading ;-)

https://github.com/kubernetes/community/tree/master/wg-security-audit

 

Best regards

 

Paweł Pawlak

 

ONAP SECCOM Chair

Leader in IT & Network Convergent Operations
FT/TGI/OLN/TOP/OST

 

Orange Polska S.A.

Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

P   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

 

 


Re: SECCOM recommendation for the El Alto Release

Catherine LEFEVRE
 

Team ,

 

Just an update – I guess than SDN-C has solved the issue related to “SDNC portal must be disabled by default”

See https://gerrit.onap.org/r/#/c/oom/+/97485/

 

Concerning the second item, additional work is indeed still required

https://docs.onap.org/en/elalto/submodules/sdnc/oam.git/docs/release-notes.html

 

Best regards

Catherine

 

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY
Sent: Tuesday, October 22, 2019 5:24 PM
To: onap-seccom@...
Subject: [Onap-seccom] SECCOM recommendation for the El Alto Release

 

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

        SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-        ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-        OJSI Tickets

        21 HTTP ports remain

        12 CVEs closed

        7 CVEs in progress

        3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

        7 CVEs with no action

        11 remaining unresolved CVEs are not blocking

-        CII Badging

        Significant improvement in overall badging

        Some projects lagging on badging activity

        CII Badging is not blocking for the release

-        Vulnerability Review Tables

        Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

        Vulnerability Review Tables is not blocking for the release

-        Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


Re: SECCOM recommendation for the El Alto Release

Krzysztof Opasiak
 

Hi,

couple of comments from my side:

On 22.10.2019 17:23, Amy Zwarico wrote:
One the Monday, 21 October PTL call, Catherine Lefevre requested a
formal SECCOM recommendation for the El Alto release based on the KPI
data presented. On today’s SECCOM call (22 October) we reached agreement
that the *ONAP El Alto should not be released until the SDNC team
re-enables the remote code execution vulnerability work-around
implemented in Dublin.*

•*SDNC portal must be disabled by default*
*SDNC portal must be disabled by default (replica set 0) unless proper
fixes are provided.


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*.
Technically they are all documented in release notes for Dublin as known
security issues. By default our release notes are cumulative so as long
as we don't document this as fixed they are unfixed.

But taken into account how serious those vulnerabilities are I believe
that mentioning once again under known security issues in El Alto
release notes would improve our transparency.


The analysis that led to this recommendation is documented below. If you
have any questions, you can contact Krzysztof Opasiak or me.

•SECCOM recommendation to TSC about El Alto security status based on
KPIs for the release

-*ONAP El Alto should not be released until the SDNC team re-enables the
remote code execution vulnerability work-around implemented in Dublin.*
or provide proper fixes;)


•*SDNC portal must be disabled by default*
or just fixed


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*

-OJSI Tickets

•21 HTTP ports remain

•12 CVEs closed

•7 CVEs in progress

•*3 SDNC remote code execution CVEs are blocking for the
release***(https <https://jira.onap.org/browse/OJSI-41>://
<https://jira.onap.org/browse/OJSI-41>jira.onap.org/browse/OJSI-41
<https://jira.onap.org/browse/OJSI-41> (CVE-2019-12132), https://
<https://jira.onap.org/browse/OJSI-42>jira.onap.org/browse/OJSI-42
<https://jira.onap.org/browse/OJSI-42> (CVE-2019-12123), https://
<https://jira.onap.org/browse/OJSI-199>jira.onap.org/browse/OJSI-199
<https://jira.onap.org/browse/OJSI-199> (CVE-2019-12112)
OJSI-203 - unprotected APIs in SO
OJSI-15 - XSS vulnerabilities in ONAP Portal
OJSI-34 - SQL injections in SDNC
OJSI-174 - SQL injections in Portal

OJSI-203 is the one that I mentioned that SO decided to carry over to
Frankfurt due to resource constraints.

OJSI-15 is a Work in Progress. It's just a significant amount of work
which is not finished yet.

OJSI-34 - to be consulted with SDNC Team but not as severe as the 3 above

OJSI-174 - Dominik worked on this but I'm not sure if he managed to fix
everything by now. Just asked him for an update.


•7 CVEs with no action
OJSI-93 - user impersonation (still lack of proper user management)
OJSI-88 - JDWP exposed on localhost
OJSI-202 - Unprotected APIs in OOM
OJSI-204 - Unprotected APIs in MSB
OJSI-205 - Unprotected APIs in CLI
OJSI-63 - Jolokia in APPC
OJSI-200 - Unprotected APIs in Loging

OJSI-88 and OJSI-63 are not as severe as the 3 from SDNC and I know that
APPC started some work on OJSI-63.


•11 remaining unresolved CVEs are not blocking
Agree.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics


SECCOM recommendation for the El Alto Release

Amy Zwarico
 

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

      SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-          ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-          OJSI Tickets

      21 HTTP ports remain

      12 CVEs closed

      7 CVEs in progress

      3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

      7 CVEs with no action

      11 remaining unresolved CVEs are not blocking

-          CII Badging

      Significant improvement in overall badging

      Some projects lagging on badging activity

      CII Badging is not blocking for the release

-          Vulnerability Review Tables

      Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

      Vulnerability Review Tables is not blocking for the release

-          Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


Frankfurt Release Requirements - Target: Oct 15th, EOD !!!

Catherine LEFEVRE
 

Dear Frankfurt « Owners »,

 

Thank you for submitting your use cases and your requirements for the Frankfurt release.

We are really excited to kick-off our Frankfurt as soon as possible

https://wiki.onap.org/display/DW/Frankfurt+Release+Requirements

 

The TSC is currently performing some prioritizations based on your inputs and EUAG inputs.

 

It is essential that we collect your additional inputs not later than Oct 15th, 2019 end of your day

If we do not get them on time then we will postpone your use case/requirements to the Guilin Release.

 

·        Use Case / requirements should be reviewed by the Architecture Team ASAP

·        As you know, we are currently under capacity concerning our Testing activities

Therefore a new column has been added “Integration Lead” to identify per use case, per requirement.

The Integration Lead will have the following responsibilities:

o   Identify the testers

o   Define the Integration Test Plan for the use case or requirement

o   Develop with his/her testers the automated tests

o   Provide Test Results to the Integration Team

 

·        Provide project’s impact for your use case/requirement. Example: SDC (C); SO (C) , AAI(TO)

C= Code Change, TO= Test Only

 

·        Provide the list of Dev committed to impacted PTL per use case, per requirement a.k.a these columns should be filled up

 

 

               Examples           

               SDC committed by Ericsson

               SO partially committed by Nokia

               SO will only support REQ-xxx

 

·        Provide T-Shirt Size – is it a multiple release requirement or not?

·        Provide Company Engagement

 

If you look at the TSC minutes (Oct. 10th), you will find the list of missing items per use case, per requirement.

https://wiki.onap.org/display/DW/TSC+2019-10-10

 

If your use case/requirement is not listed in the table then the architecture did not approve it or have not yet finalized the review.

 

Please let us know if you have any question concerning our requests.

 

Many thanks & regards

Catherine

 

Catherine Lefèvre

AVP Software Development & Engineering

 

AT&T Labs – Network Cloud and SDN Platform Integration

SDN Platform & Systems

ECOMP/RUBY/SPP-NEAM-Appl. Servers/SIA

ONAP TSC Chair

 

 

Phone: +32 81 84 09 08

Mobile: +32 475 77 36 73

catherine.lefevre@...

 

TEXTING and DRIVING… It Can Wait

AT&T

BUROGEST OFFICE PARK SA

Avenue des Dessus-de-Lives, 2

5101 Loyers (Namur)

Belgium

 

 

NOTE: This email (or its attachments) contains information belonging to the sender, which may be confidential. proprietary and/or legally privileged. The information is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any disclosure, distribution or taking of any action in reliance on the content of this is strictly forbidden. If you have received this e-mail in error please immediately notify the sender identified above

 


Canceled: VNF Security Requirements Refresh

Amy Zwarico
 

Canceling this week’s meeting in order to host an ODL call. We will resume on October 17.
 
Weekly meeting to work on revisions to the VNF security requirements.
 
 


Portal SDK 2.6.0

Catherine LEFEVRE
 

Good morning/afternoon SECCOM,

 

I want to inform you that Portal SDK 2.6.0, recently delivered, will not be integrated into impacted components i.e. CLAMP, VID, PORTAL etc.

i.e. CLAMP, VID, PORTAL etc. as part of the El-Alto release.

 

We need to discuss with the PTLs on 10/7 about a plan post-Alto i.e. Self-Release from impacted project this year.

 

Best regards

Catherine

 

Catherine Lefèvre

AVP Software Development & Engineering

 

AT&T Labs – Network Cloud & Infrastructure

SDN Platform & Systems

ECOMP/RUBY/SPP-NEAM-Appl. Servers/SIA

ONAP TSC Chair

 

 

Phone: +32 81 84 09 08

Mobile: +32 475 77 36 73

catherine.lefevre@...

 

TEXTING and DRIVING… It Can Wait

AT&T

BUROGEST OFFICE PARK SA

Avenue des Dessus-de-Lives, 2

5101 Loyers (Namur)

Belgium

 

 

NOTE: This email (or its attachments) contains information belonging to the sender, which may be confidential. proprietary and/or legally privileged. The information is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any disclosure, distribution or taking of any action in reliance on the content of this is strictly forbidden. If you have received this e-mail in error please immediately notify the sender identified above

 


SECCOM and Architecture synch meeting request

Pawel Pawlak
 

Hello Steve,

Following recent discussion we had at the SECCOM meetings, it would be great to have a synch meeting in incoming weeks with and Architecture Subcommittee. There might be few topics to address: certificates management or  ISTIO implementation are good examples to start with.

 

Please let me know possible dates, we could join your weekly call, or book some dedicated slot if needed.

 

Best regards    

 

Paweł Pawlak

 

ONAP SECCOM Chair

Leader in IT & Network Convergent Operations
FT/TGI/OLN/TOP/OST

 

Orange Polska S.A.

Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

P   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

 

 


Canceled: VNF Security Requirements Refresh

Amy Zwarico
 

Unfortunately, I have to cancel this week because we are using this time slot to meet about the ONAP ODL package.
 
Weekly meeting to work on revisions to the VNF security requirements.
 
 


VNF Security Requirements Refresh

Amy Zwarico
 

Unfortunately, I have to cancel this week because we are using this time slot to meet about the ONAP ODL package.
 
Weekly meeting to work on revisions to the VNF security requirements.
 
-- Do not delete or change any of the following text. --  
 
 
Join Webex meeting  
Meeting number (access code): 735 030 143 Meeting password: Jyw8imU@   

Join from a video system or application
Dial 735030143@... 
You can also dial 173.243.2.68 and enter your meeting number.  
 
Join by phone 
Tap to call in from a mobile device (attendees only) 
1-844-517-1415 United States Toll Free 
1-618-230-6039 United States Toll 
Global call-in numbers  |  Toll-free calling restrictions  
 
 
Accessibility and Assistive Technologies  
Select this job aid for tips and guides to make Webex Meetings accessible to persons with disabilities who may rely on assistive technologies.
 
 
Can't join the meeting?
 
If you are a host, go here to view host information.

IMPORTANT NOTICE: Please note that this Webex service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.
 
 


Link to Docker and Kubernetes CIS Benchmarks

Amy Zwarico
 

I uploaded the Docker and Kubernetes CIS Benchmark documents to the Security Subcommittee Best Practices page on the wiki: https://wiki.onap.org/display/DW/Docker+and+Kubernetes+Security

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


Canceled: VNF Security Requirements Refresh

Amy Zwarico
 

Canceling for ONS.
 
Weekly meeting to work on revisions to the VNF security requirements.
 
 


Re: onap seccom: communication matrix updated

natacha.mach@...
 

Hello

here is an updated version of the communication matrix YAML file.

The main modifications concern the compatibility with YAML format...

Regards

Natacha


De : MACH Natacha TGI/OLS
Envoyé : mardi 17 septembre 2019 09:13
À : onap-seccom@...
Objet : onap seccom: communication matrix updated

Hello Seccom,

 

Please find enclosed a new version of the communication matrix trying to take into account the last remarks.

 

All comments are wellcome.

 

Best regards

Natacha

 

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: VNF Security Requirements

Amy Zwarico
 

Please provide all comments and votes by October 2.

 

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of natacha.mach via Lists.Onap.Org
Sent: Friday, September 20, 2019 2:15 AM
To: ZWARICO, AMY <az9121@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] VNF Security Requirements

 

hello

Thanks for the information.

What is the deadline?

Regards

Natacha


De : onap-seccom@... [onap-seccom@...] de la part de Amy Zwarico [amy.zwarico@...]
Envoyé : vendredi 20 septembre 2019 02:59
À : onap-seccom@...
Cc : BOZAWGLANIAN, HAGOP
Objet : [Onap-seccom] VNF Security Requirements

Please review the following requirement and vote to accept or not.

 

https://jira.onap.org/browse/VNFRQTS-457

https://jira.onap.org/browse/VNFRQTS-660

https://jira.onap.org/browse/VNFRQTS-661

https://jira.onap.org/browse/VNFRQTS-712

https://jira.onap.org/browse/VNFRQTS-713

https://jira.onap.org/browse/VNFRQTS-726

https://jira.onap.org/browse/VNFRQTS-727

https://jira.onap.org/browse/VNFRQTS-728

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: VNF Security Requirements

natacha.mach@...
 

hello

Thanks for the information.

What is the deadline?

Regards

Natacha


De : onap-seccom@... [onap-seccom@...] de la part de Amy Zwarico [amy.zwarico@...]
Envoyé : vendredi 20 septembre 2019 02:59
À : onap-seccom@...
Cc : BOZAWGLANIAN, HAGOP
Objet : [Onap-seccom] VNF Security Requirements

Please review the following requirement and vote to accept or not.

 

https://jira.onap.org/browse/VNFRQTS-457

https://jira.onap.org/browse/VNFRQTS-660

https://jira.onap.org/browse/VNFRQTS-661

https://jira.onap.org/browse/VNFRQTS-712

https://jira.onap.org/browse/VNFRQTS-713

https://jira.onap.org/browse/VNFRQTS-726

https://jira.onap.org/browse/VNFRQTS-727

https://jira.onap.org/browse/VNFRQTS-728

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


VNF Security Requirements

Amy Zwarico
 

Please review the following requirement and vote to accept or not.

 

https://jira.onap.org/browse/VNFRQTS-457

https://jira.onap.org/browse/VNFRQTS-660

https://jira.onap.org/browse/VNFRQTS-661

https://jira.onap.org/browse/VNFRQTS-712

https://jira.onap.org/browse/VNFRQTS-713

https://jira.onap.org/browse/VNFRQTS-726

https://jira.onap.org/browse/VNFRQTS-727

https://jira.onap.org/browse/VNFRQTS-728

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


Re: Jira Cleanup

Pierre Close
 

Hello Amy,

 

My personal opinion:

 

  • 54, 56, 62, 86, 90 are probably worth investigating further, especially 56, 62 and 90 to formalize what is/might be existing.
  • I have the feeling that 89 is a combination of 56 and 62, but I might be wrong.

 

As for the others:

 

  • 6: as discussed, possibly a huge work that would be trying to catch up endlessly
  • 18: covered by the xNF requirements that were defined?
  • 26: related to security scans we discussed recently? I mean, would this SECCOM-26 help for security scans requirement?
  • 40: honestly, nothing I can remember of

 

Comments are welcome

 

Best regards,

Pierre

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of ZWARICO, AMY
Sent: Tuesday, September 17, 2019 9:23 PM
To: onap-seccom@...
Subject: [Onap-seccom] Jira Cleanup

 

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

We are cleaning up the SECCOM Jira. Please review the following tickets which have no owners and indicate whether you think that SECCOM should identify an owner to work on the ticket (+1) or close the ticket as something that SECCOM should not pursue (-1).

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


AAF init container usage tracking

Pawel Baniewski (Nokia)
 

Dear SECCOM,

 

Do you know who is tracking feature called “Use AAF init container to get TLS certificates” or where I can find list of JIRA tickets from all ONAP projects which are addressing mentioned feature?

I would like to see which components are already using AAF Init container and which plans and when.

 

Regards

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Tribe Architect

 

mobile: +48 728 361 386

 


M3 Checklist Updates

Amy Zwarico
 

On the 2019-09-17 SECCOM call we discussed updates to the M3 checklist for CII badging requirements. Two other additions to the checklist were suggested.

·         Require projects to enable authentication on all interfaces

·         Require projects to implement hardening features – SECCOM will provide a list of the hardening requirements

I have added the three new questions to the M3 checklist on the ONAP security recommendation development page. The new entries are highlighted in blue.

 

Pawel Baniewski has agreed to provide a list of hardening features, and Jonathan Gathman sent out requirements for hardening access to databases.

 

Please provide feedback for the three new requirements.

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 


Jira Cleanup

Amy Zwarico
 

We are cleaning up the SECCOM Jira. Please review the following tickets which have no owners and indicate whether you think that SECCOM should identify an owner to work on the ticket (+1) or close the ticket as something that SECCOM should not pursue (-1).

·         SECCOM-6, SECCOM-18, SECCOM-26, SECCOM-40, SECCOM-54, SECCOM-56, SECCOM-62, SECCOM-86, SECCOM-89, SECCOM-90

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."