Samsung is performing an internal penetration test of the Casablanca release

19-2-6

Casablanca instance is set up

• findings will be reported at the end of the month
  • preliminary findings include hard coded passwords
  • Phil Robb requested a preliminary report to share with the sponsors of the third party code base audit (https://jira.onap.org/browse/SECCOM-104)
• Proposal to use the Vulnerability Management process to handle the findings
•  recommendations:
  • create working group to develop solutions for the findings
  • leverage existing solutions such as CADI, AAF
  • create a set of best practices
  • identify security champions for each project
  • prioritize fixes for the Dublin release
• Amy will request time on the 2/7 TSC call and the 2/11 PTL call for Krzysztof Opasiak to present the Samsung pen test and the relationship to the proposed 3rd party code audit https://jira.onap.org/browse/SECCOM-104
  • need to get feedback from the PTLs on the impacts to the Dublin release
• [19-02-13] Have discovered more vulnerabilities
• [19-02-13] Testing will be complete at the end of February, Report delivered by 19-03-08. Have private session to review results.
• [19-02-06] kopasiak will share report with Katel34, phrobb, Pawel_P, zwarico at end of week. Vulnerabilities will be shared with affected PTLs.