-
Task
-
Resolution: Done
-
Highest
-
None
-
None
Samsung is performing an internal penetration test of the Casablanca release
19-2-6
Casablanca instance is set up
- findings will be reported at the end of the month
- preliminary findings include hard coded passwords
- Phil Robb requested a preliminary report to share with the sponsors of the third party code base audit (https://jira.onap.org/browse/SECCOM-104)
- Proposal to use the Vulnerability Management process to handle the findings
- recommendations:
- create working group to develop solutions for the findings
- leverage existing solutions such as CADI, AAF
- create a set of best practices
- identify security champions for each project
- prioritize fixes for the Dublin release
- Amy will request time on the 2/7 TSC call and the 2/11 PTL call for Krzysztof Opasiak to present the Samsung pen test and the relationship to the proposed 3rd party code audit https://jira.onap.org/browse/SECCOM-104
- need to get feedback from the PTLs on the impacts to the Dublin release
- [19-02-13] Have discovered more vulnerabilities
- [19-02-13] Testing will be complete at the end of February, Report delivered by 19-03-08. Have private session to review results.
- [19-02-06] kopasiak will share report with Katel34, phrobb, Pawel_P, zwarico at end of week. Vulnerabilities will be shared with affected PTLs.
- relates to
-
SECCOM-104 ONAP Codebase Audit
- Open