Presentation is loading. Please wait.

Presentation is loading. Please wait.

ONAP security meeting 2017-05-24.

Published byJoy Henry Modified over 6 years ago

Similar presentations

Presentation on theme: "ONAP security meeting 2017-05-24."— Presentation transcript:

1 ONAP security meeting

2 Agenda Walkthough of the draft vulnerability management procedures
Walkthrough of potential proactive suggestions.

3 Vulnerability Management
Walk through: Document Next Steps: Review All. Comments by Tuesday May 31st to me. Discuss comments for updating. Security Vulnerability Team Are we in a place to start getting a security vulnerability team together? Question to take to the TSC: How many branches will we support. Question to David about involvement of other 3PPP security processes.

4 Proposed proactive activities
Integrate code scanning into the submission process Define a template for a project to use in developing the security tests that have to be run on their submissions Require all submitted code be signed Attestation that the code is not vulnerable to the OWASP Top 10 Attestation that no default passwords are used Attestation that no backdoors are incorporated in the code Monitor external code for CVEs Mitigate all critical CVEs within x days Mitigate all high CVEs within y days

5 Proposed proactive activities
From Catherine FOSSology is an open source license compliance software system and toolkit. This tool could be useful to ensure that we are not integrating any open source released under GPL, Commercial licenses, etc. CheckMarx is offering a Static Application Security Testing (SAST) product that prevents vulnerabilities in our source code but it is unfortunately not free. I have not yet found a similar security open source product. Sonarqube (already part of LF ONAP infra) - is an open source platform for continuous inspection of code quality, offering reports about security vulnerabilities. Other reports are also provided about duplicated code, code standards, unit tests, test coverage, code complexity and bugs Bandit is a security linter for Python source code, utilizing the ast module from the Python standard library.

6 Proposed proactive activities
From Catherine Can we also consider the following epic - COMMON-8 - Enhanced client authentication, service discovery and authorization Open ? From a tooling perspective, FOSSology is an open source license compliance software system and toolkit. This tool could be useful to ensure that we are not integrating any open source released under GPL, Commercial licenses, etc. CheckMarx is offering a Static Application Security Testing (SAST) product that prevents vulnerabilities in our source code but it is unfortunately not free. I have not yet found a similar security open source product.

7 phil Nexuslifecycle. To support vulernability …. Periodic spotchecks
Continues checks? Need to get to a recommendation on how the information is used. Need to decide how we want to use the information given that it will be there running anyway.

8 Proposed activities (steve)
Guidelines/check lists to projects Can we see if some have already been used by other OS projects

9 Proposed Activity Summary (skeleton now)
Guidence to projects: Security checking of code as part of a release Tooling:? Security of components in which we rely? Decide what we want in the “attest” vs what is in the “release” checks How to do the compliance checking ….. David Wheeler to future meeting (phil to bring in contacts)

Download ppt "ONAP security meeting 2017-05-24."

Similar presentations

Configuration Management

Configuration Management
The Relationship between Cost & Quality Submitted by: Haya A. El-Agha Submitted to: Eng. Hani Abu Amr.

The Relationship between Cost & Quality Submitted by: Haya A. El-Agha Submitted to: Eng. Hani Abu Amr.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Vulnerability Assessments

Vulnerability Assessments
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
1 1 Roadmap to an IEPD What do developers need to do?

1 1 Roadmap to an IEPD What do developers need to do?
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
M. Gallas IT-API LCG SPI project: testing1 Software Testing Infrastructure status LCG Software Process & Infrastructure (CERN, 10/23/02)

M. Gallas IT-API LCG SPI project: testing1 Software Testing Infrastructure status LCG Software Process & Infrastructure (CERN, 10/23/02)
Product Quality, Testing, Reviews and Standards

Product Quality, Testing, Reviews and Standards
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
Security Assessments FITSP-A Module 5

Security Assessments FITSP-A Module 5
© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang 06-07-2012 Unit Testing.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang Unit Testing.
A. Aimar - EP/SFT LCG - Software Process & Infrastructure1 Software Process panel SPI GRIDPP 7 th Collaboration Meeting 30 June – 2 July 2003 A.Aimar -

A. Aimar - EP/SFT LCG - Software Process & Infrastructure1 Software Process panel SPI GRIDPP 7 th Collaboration Meeting 30 June – 2 July 2003 A.Aimar -
Federal Aviation Administration May 10-11, 2012 AST / COMSTAC Issue Coordination COMSTAC Meetings Dr. George Nield Associate Administrator FAA Office of.

Federal Aviation Administration May 10-11, 2012 AST / COMSTAC Issue Coordination COMSTAC Meetings Dr. George Nield Associate Administrator FAA Office of.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Release Management December, 2012. 2 Avaya – Confidential. Use pursuant to your signed agreement or Avaya policy. Technology Adoption Gap Increased Solution.

Release Management December, Avaya – Confidential. Use pursuant to your signed agreement or Avaya policy. Technology Adoption Gap Increased Solution.

Similar presentations

Ads by Google