Presentation is loading. Please wait.

Presentation is loading. Please wait.

ONAP security meeting 2017-08-02.

Published byEdwina Myra Howard Modified over 6 years ago

Similar presentations

Presentation on theme: "ONAP security meeting 2017-08-02."— Presentation transcript:

1 ONAP security meeting

2 Agenda Vulnerability Management Information update: Follow-up
CII Badging program Follow-up Recommendation on storage of passwords - how to achieve. PKI infrastructure and CA Follow-up on vulnerability scanning discussion status Preparation for Adhoc seccom/SDC/VNF SDK meeting AOB September Developers event

3 Vulnerability Management
Select one vulnerability and send to send in to “clean the cobwebs” from our process.

4 CII Badging Program Two volunteer projects Next Steps: CLAMP AAF
Proposed presentation from David to teams (Ram – AAF not yet confirmed). David, Catherine (CLAMP) confirmed. Propose to use the meeting slot next week.

5 Recommendation on storage of passwords - how to achieve?
Conclusion from last meeting: Amy has thoughts around this Steve Goeringer raised the question of why passwords, why not certificates (or such approaches). Stephen to create a security best practice sub-page – Amy/Steve Goeringer create a proposal to discuss in the community. Different ambition levels (R1 may not be able to achieve what we want, but at least we should point out the “gotchas”). Two weeks. Maybe a common module for R2 … Note: Evgeny Zemlerub also expressed views to incorporate Any update: Meeting note: Ongoing.

6 PKI infrastructure and CA (1/2)
For thte called ad-hoc meetings The ASK from Chris Does the Security Team have a PKI strategy? Anyone planning to host an ONAP CA? The reason I ask is that VNF SDK is considering implementing SOL-04, which has some vnf package integrity and authenticity options that require digital signatures. We’d like to align with other projects such as SDC, SO, VFC, and APPC that may need to validate the VNFs as part of the onboarding process, and we’re interested in taking advantage of any PKI mechanisms already in place. Not that we’re looking for more work, but if no one else is working on PKI, VNF SDK wouldn’t be a bad place to home it, given that we’re building a reference “marketplace” for VNFs and will have a relationship with VNF vendors. Also, if the Security team wants to take this on, I’d like to recommend checking out Kyrio ( To my knowledge, they’re the largest issuer of device certificates on the planet (cable modems, passpoint, smart grid, and medical devices). As they say, “Kyrio is the preferred security provider for CableLabs, OpenADR, Wi-Fi Alliance, and Center for Medical Interoperability (CMI).” .

7 PKI infrastructure and CA (2/2)
For thte called ad-hoc meetings From the VNF SDK perspective, we are supplying VNF packaging tools to vendors and then validating the uploaded VNF packages. If you think about a potential marketplace environment, where vendors upload their VNFs to a neutral marketplace (think Apple App Store or Google Play) and operators download the ones they’re interested in, operator certs may not make sense. We were thinking that vendors would acquire certificates from a central place (from ONAP CA? From a defined third-party (such as Kyrio) which ONAP would use as a trusted root? Something else?). The vendors would sign their VNF packages with that cert, and vnf sdk would then validate the digital signatures as part of the VNF package validation prior to onboarding. Meeting notes: Organize a discussion with VNF SDK team . Avoid Mon-Wed (7-9) next week. If next Thu, same hour as seccom is good

8 Static Scanning Met with Steve Winslow Explained Nexus IQ lifecycle.
Good for identifying the known vulnerabilities of the use code and in which version there is a fix. Doesn’t do the active static scanning as such with fortify Reflection Could be good for the project leads to know which versions of components they have and which they should take. Next Steps:: Meeting Discussion: Nexus IQ lifecycle Ask the LF to make it open to the PTLs. Create communication to inform the PTLs about the possibility to do so. Could be good to inform Gildas to tie to a release. Look at static code scanning tools to come with a recommendation E.g. Fosology, fortify Amy to propose a list of tools When we align, we can take it to the LF.

9 Preparation for the Adhoc meeting
If we have something to propose regarding pwd handling etc, then we can propose it, otherwise take a discussion For this meeting, the ambition should be to understand the questions/needs. Maybe we have initial recommendations based on seccom’s collective experience, or maybe we have to take actions For the CA discussion We should listen to the proposal and take a discussion. Other thoughts?

10 September developers event
Possible topics to raise Known vulnerability scanning Update from CII badging programe certification attempt feedback. Static code scanning. Purpose:? Status update or pro-active security advise regarding best practices. Don/zyg can help put together material Still open to who will present due as its best to be physically present. Stephen to include security as a topic in the September Developers event list of topics.

Download ppt "ONAP security meeting 2017-08-02."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Presentation By Deepak Katta

Presentation By Deepak Katta
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.

Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S40-20090330-005 X50-20090330-0xx Source: QUALCOMM Incorporated Contact(s): Anand.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.

By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.

Security fundamentals Topic 5 Using a Public Key Infrastructure.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.

SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
TAG Presentation 18th May 2004 Paul Butler

TAG Presentation 18th May 2004 Paul Butler
ONAP security meeting 2017-09-06.

ONAP security meeting
VNF SDK Design and Packaging issues

VNF SDK Design and Packaging issues
Agent Services Making Tax digital for Business

Agent Services Making Tax digital for Business
Presented by Edith Ngai MPhil Term 3 Presentation

Presented by Edith Ngai MPhil Term 3 Presentation
ONAP Policy Framework Weekly Meeting June 7, 2017

ONAP Policy Framework Weekly Meeting June 7, 2017

Similar presentations

Ads by Google