CII badging program for ONAP ONAP security committee Stephen Terrill 21 Julne , 2017

Summary The ONAP vulnerability procedures have been approved, now the security committee is looking into the pro-active activities. CII (core infrastructure initiative) has been created by the linux foundation in response to previous security issues in open-source projects (Heartbleed in openSSL). The CII has created a badging program to recognize projects that follow a set of identifies best practices that could be adopted. There are three levels passing, silver and gold. The security sub-committee has looked at these and feels that given ONAP is managing core critical infrastructure, the ONAP projects should follow the gold level. A stepwise introduction is proposed.

CII badging program Defines a set of best practices for Free/Libre and Open source Software. It defines 3 levels: Passing, Silver and Gold. Encourage projects to follow the best practices Help new projects discover what those practices are Hel users know which projects are following the best practices. Passing criteria covers general project aspects with higher level of security practices described in silver and Gold levels. Individual projects apply for the badging. Basic introduction can be found here: https://github.com/coreinfrastructure/best-practices- badge/blob/master/doc/criteria.md Silver/Gold criteria can be found here: https://github.com/coreinfrastructure/best-practices- badge/blob/master/doc/other.md

Example criteria Gold: Passing: Silver The project website MUST succinctly describe what the software does (what problem does it solve?). The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be maintained as a separate FLOSS project). Silver The project MUST document what the user can and cannot expect in terms of security from the software produced by the project. The project MUST identify the security requirements that the software is intended to meet and an assurance case that justifies why these requirements are met. The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, and evidence that common security weaknesses have been countered Gold: The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion.

CII Badging Scope and Sample Requirement Areas General Project Areas Project description, OSS licensing, documentation, website, support TLS, change control, unique version numbering, release notes Reporting Bug-reporting process, vulnerability report process Quality Maintain golden source for rebuilding, use common tools, automate test suite, perform new-functionality testing, address compiler warning flags Security Developers security knowledgeable, use good cryptographic practices, protection against man-in-the- middle (MITM) attacks, fix publicly known vulnerabilities, don’t leak valid private credential Analysis Perform static code analysis, perform dynamic code analysis, fix vulnerabilities

CII badging considerations The basic level also covers aspects that would be considered as required by the release. ONAP is critical infrastructure software. Better to start early

Proposal ONAP strives for all projects included in a release meet the gold level of the CII badging program ONAP is critical infrastructure software As such, should not be happy with software that is not tight on security. Review the ONAP release planning considering the badging program best practices. Organize CII badging program presentation for PTLs (from David Wheeler) Start with 2 projects (July), scale to the rest of the projects (August).