1. ONAP security meeting

2. Agenda Information update Credentials Protection and Management-
Credentials Protection and Management
PKI infrastructure and CA
Code Scanning update?
Vulnerability Management
September Developers event
CII Badging for CLAMP
AOB

3. Credentials Management – PKI Automation
Status
There is a proposal for a credential vault, and a ability to provision ONAP with the credentials.
This site has been created to capture the results of the discussion:
Way forward
Document a proposal
Evgeny, has a usecase description that could be used as a basis.

4. Static Code Scanning Coverity appears to be a good tool
Fortify is another alternative
Question to Phil about coverity (Stephen).
Question: What shall we put here:

5. CII Badging Questions - CLAMP
Eve
CII Badging Questions - CLAMP
The CLAMP team asked for clarification on some of the CII requirements
Provide the Security subteam team the URLs for CVE listings
The release notes MUST identify every publicly known vulnerability that is fixed in each new release. This is “N/A” if there are no release notes or there have been no publicly known vulnerabilities
Clarify which warnings be raised by a software component
Requirement: It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical. Some warnings cannot be effectively enabled on some projects. What is needed is evidence that the project is striving to enable warning flags where it can, so that errors are detected early

6. Vulnerability Management
Vulnerability to test the procedure?

7. September Event Update from CII badging – feedback
Static code scanning
Credential Management.
Action: Stephen to put this on the F2F dev event request for September.