ONAP Security Sub-committee Update. Stephen Terrill, Donald Levey, Pierre Cose,

Similar documents
Advanced Security Tester Course Outline

The Common Controls Framework BY ADOBE

Certification Report

EXAM PREPARATION GUIDE

Secure Development Lifecycle

TEL2813/IS2820 Security Management

The Open Group Professional Certification Program. Accreditation Requirements

Software Architecture Review

U.S. E-Authentication Interoperability Lab Engineer

INFORMATION ASSURANCE DIRECTORATE

Project Management Certification

Certification Report

Compliance Verification Program Governance Guide

Australasian Information Security Evaluation Program

Understanding the Open Source Development Model. » The Linux Foundation. November 2011

Promoting Global Cybersecurity

Federal Information Processing Standard (FIPS) What is it? Why should you care?

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Security Management Models And Practices Feb 5, 2008

SOC Reporting / SSAE 18 Update July, 2017

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

University of Wisconsin-Stout Menomonie, WI

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

CHARTER OUR MISSION OUR OBJECTIVES OUR GUIDING PRINCIPLES

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

INFS 2150 (Section A) Fall 2018

PRINCE2 IN 40 MINUTES

For presentation at the Fourth Software Engineering Institute (SEI) Software Architecture Technology User Network (SATURN) Workshop.

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Digital Preservation: How to Plan

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Effective Threat Modeling using TAM

FISMAand the Risk Management Framework

Building an Assurance Foundation for 21 st Century Information Systems and Networks

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Certification Report

FedRAMP Training - Continuous Monitoring (ConMon) Overview

IC L19 - Consolidate Information from across your Infrastructure to create a custom report for PCI DSS Hands-On Lab

UCSB IT Forum. April 15, 2014

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Certification Report

FeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.

COMMON CRITERIA CERTIFICATION REPORT

ISA Security Compliance Institute

Take responsibility for completing tasks and procedures subject to direction or guidance as needed.

EXAMINATION [The sum of points equals to 100]

Visa Chip Security Program Security Testing Process

Information Systems and Tech (IST)

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Certification Report

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Site Data Protection (SDP) Program Update

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

ISSEP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Frequently Asked Questions

Adopting Agile Practices

INTERACTIVE GLOBAL VALUE DOSSIER

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISACA Cincinnati Chapter March Meeting

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

COMMON CRITERIA CERTIFICATION REPORT

Certification Process. Version 1.0

Exhibit A1-1. Risk Management Framework

ONAP Release Planning

MIS Week 9 Host Hardening

CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

SOLUTION BRIEF Virtual CISO

Course Outline. CISSP - Certified Information Systems Security Professional

<PROJECT NAME> IMPLEMENTATION PLAN

IASA CONTINUING EDUCATION UNITS

Descriptions for CIS Classes (Fall 2017)

ONAP Project Proposal Training. Chris Donley

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

The task or context will be familiar and involve few variable aspects. The techniques used will be familiar or commonly undertaken.

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Core Infrastructure Initiative Discussion

EU General Data Protection Regulation (GDPR) Achieving compliance

OpenChain Specification Version 1.3 (DRAFT)

Certified Information Systems Auditor (CISA)

National Information Assurance Partnership

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

BRING EXPERT TRAINING TO YOUR WORKPLACE.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

COMMON CRITERIA CERTIFICATION REPORT

EXAM PREPARATION GUIDE

Certification Exam Outline Effective Date: September 2013

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

THE AUTOMATED TEST FRAMEWORK

Germany and The Netherlands Certification of cryptographic modules

Transcription:

ONAP Security Sub-committee Update Stephen Terrill, Donald Levey, Pierre Cose, 2017-12-15

Introduction This presentation is from the ONAP security sub-committee. It covers the security aspects that have been put into place, as well as the latest on what is currently on the agenda.

ONAP ONAP is critical infrastructure Can you imagine what could be done if compromised? If security is done right, no-one knows. We are aware of it when its not!

Security is considered from the start ONAP Governing Board ONAP Technical Steering Committee Sub-Committees Support the TSC on topics of a particular focus. Security Architecture Use Case Open Lab Modelling Projects Projects Projects Closed Loop The security sub-committee was one of the first created

Where to find us http://wiki.onap.org

How to contact us Onap-seccom@onap.org To subscribe: https://lists.onap.org/mailman/listinfo We meet Wednesdays, 15:00 16:00 CET.

Vulnerability Management Vulnerability management is the process to handle identified vulnerabilities Approved Vulnerability Management procedures: https://wiki.onap.org/display/dw/onap+vulnerability+management How to submit a vulnerability, acknowledge a vulnerability, and manage the process to conclusion including communication. Email: security@lists.onap.org Vulnerability management team (volunteers) are in place: Will follow a Case lead on a step-up approach on per case by case basis. Support team to step in to ensure nothing falls through. Security coordinator also to ensure that all is working ok.

Current Focus Core Infrastructure Initiative Badging Program Static Code Scanning Credential Management Communication Security Known vulernability informing

CII (core infrastructure initiative) badging program CII (core infrastructure initiative) has been created by the linux foundation in response to previous security issues in open-source projects (Heartbleed in openssl). The CII has created a badging program to recognize projects that follow a set of identifies best practices that could be adopted. - There are three levels passing, silver and gold. The security sub-committee has looked at these and feels that given ONAP is managing core critical infrastructure, the ONAP projects should follow the gold level. - This is a challenge! The CII Badging program levels are now part of the S3P (carrier grade) focus of Release 2.

CII Badging program, 3 levels Gold More stringent criteria Security Review, project continuity, continues test integration, 70%+ test coverage, secure design,. Silver Passing https://github.com/coreinfrastructure/best-practicesbadge/blob/master/doc/criteria.md https://github.com/coreinfrastructure/best-practicesbadge/blob/master/doc/other.md Basic practices Largely also covered by Release Best Practices

Example Criteria Passing: The project website MUST succinctly describe what the software does (what problem does it solve?). The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be maintained as a separate FLOSS project). Silver: The project MUST document what the user can and cannot expect in terms of security from the software produced by the project. The project MUST identify the security requirements that the software is intended to meet and an assurance case that justifies why these requirements are met. The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, and evidence that common security weaknesses have been countered Gold: The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion.

The Questionnaire CLAMP project Perspective: Xue Goa, Pierre Close, Anael Clossson Editing rights is limited to a subset of users - Main editor can nominate other users as editors Divided into clear sections - For each section, a set of questions is provided, addressing best practices relating to the parent section Each question asks if a criterion is - Met, unmet, not applicable, or unknown Criteria are generally high-level as targeted to best practices, e.g. - The project MUST have one or more mechanisms for discussion - The project SHOULD provide documentation in English

The Goals CLAMP project Perspective: Xue Goa, Pierre Close, Anael Clossson Give confidence in the project being delivered - By quickly knowing what the project supports See what should be improved - Self-questioning helps project stakeholders identifying strengths and weaknesses, do s and don'ts Align all projects using the same ratings - Makes projects connected together to follow the same practices Call for continuous improvement - Increase self rating and reach better software quality

Click to edit Master title style Static Code Scanning The purpose is for Looking for unknown vulnerabilities Currently investigating the tool Primary Recommendation: Coverity Scanning Looking at the process to apply it within ONAP Supported Languages: - C/C++, C#, Java, Javascript, Python, Ruby Possible scan frequency (per project): - < 100K LoC: Up to 28 builds per week, with a maximum of 4 builds per day - 100K-500 K LoC: Up to 21 builds per week, with a maximum of 3 builds per day - 500K 1M LoC Up to 14 builds per week, with a maximum of 2 build per day - > 1M LoC: Maximum of 1 build per day Next Step: - Evaluate output report - Recommendation for inclusion in ONAP Processes

Static Code Scanning The purpose is for Looking for unknown vulnerabilities Currently investigating the tool Primary Recommendation: Coverity Scanning Looking at the process to apply it within ONAP Supported Languages: - C/C++, C#, Java, Javascript, Python, Ruby < 100K LoC: Up to 28 builds per week, with a maximum of 4 builds per day 100K-500 K LoC: Up to 21 builds per week, with a maximum of 3 builds per day 500K 1M LoC Up to 14 builds per week, with a maximum of 2 build per day > 1M LoC: Maximum of 1 build per day Evaluate output report Recommendation for inclusion in ONAP Processes

Credential Management External ONAP service consumers Credential Types ONAP_Users ONAP_ExtAPI ONAP ONAP ONAP_Foreign External to ONAP services (e.g. managed elements, services from other domains) Credential Examples: Certificates, traditional credentials Proposal exists to extend ONAP with the capabilities for : - ONAP certificate authority - ONAP secret storage service Presented: Securing onap using trusted infrastructure solutions (TUE)

Managing known vulnerabilities FOR DISCUSSION Managing known vulnerabilities Sonatype CLM/ Nexus IQ Tool Can be used to inform the projects of known vulnerabilities in the components that a project has. DISCUSSION how do we want to use it? Make the report available to PTLs (See IPR Tools & CLA process presentation on Tuesday) Include in milestone criteria?

Summary ONAP is critical infrastructure Can you imagine what could be done if compromised? We welcome your input! If security is done right, no-one knows. We are aware of it when its not!

s

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback