ONAP security meeting 2017-09-22

Agenda Information update Credentials Protection and Management - Credentials Protection and Management PKI infrastructure and CA Code Scanning update? Vulnerability Management September Developers event CII Badging for CLAMP AOB

Credentials Management – PKI Automation Status There is a proposal for a credential vault, and a ability to provision ONAP with the credentials. This site has been created to capture the results of the discussion: https://wiki.onap.org/display/DW/ONAP+security+Recomendations Way forward Document a proposal Evgeny, has a usecase description that could be used as a basis.

Static Code Scanning Coverity appears to be a good tool Fortify is another alternative Question to Phil about coverity (Stephen). Question: What shall we put here: https://wiki.onap.org/display/DW/ONAP+security+Recomendations

CII Badging Questions - CLAMP Eve CII Badging Questions - CLAMP The CLAMP team asked for clarification on some of the CII requirements Provide the Security subteam team the URLs for CVE listings The release notes MUST identify every publicly known vulnerability that is fixed in each new release. This is “N/A” if there are no release notes or there have been no publicly known vulnerabilities Clarify which warnings be raised by a software component Requirement: It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical. Some warnings cannot be effectively enabled on some projects. What is needed is evidence that the project is striving to enable warning flags where it can, so that errors are detected early

Vulnerability Management Vulnerability to test the procedure?

September Event Update from CII badging – feedback Static code scanning Credential Management. Action: Stephen to put this on the F2F dev event request for September.