Security be design is forming as a TSC requirement, but it needs to be created into a proposal.  See TSC-52

“Security by Design” – Re-enforce the awareness at each milestone of a release starting with M1. So PTLs are already reporting on their remaining vulnerabilities/security issues.

Note it is not only about issues detected by tools but also key security requirements

 •          Security scan on ONAP code (coverity, bandit)

 •           Replacement of Unsecured 1/3 party libraries

TSC Task Force: Stephen Terrill and the Security Subcommittee

 

Suggestions:

• Ensure that when a library is first used by a project that a scan of the vulnerability is done and see what could be done about it.  Alternatives; ..
• Gatejobs - to execute the test, check vulnerabilities, ....

SECCOM: 2018-12-19

------------

Reviewed: https://wiki.onap.org/display/DW/Proposed+Updates+to+Release+Templates+%28Dublin%29+-+Security+Questions 

–

 

SECCOM 2018-11-05

walked through https://wiki.onap.org/download/attachments/45309376/2018-12-05%20Security%20by%20design.pptx?api=v2  cand got feedback

 

SECCOM 2018-12-19

Review proposed security deliverables documented in Release Checklists

https://wiki.onap.org/display/DW/Proposed+Updates+to+Release+Templates+%28Dublin%29+-+Security+Questions

 

2019-02-13 TSC Chair Email to SECCOM and PTLS

Dear SECCOM, PTLs,

 

I would like to inform you that 72+% of our ONAP TSC already voted positively to integrate v13 of Security checklist proposal

https://wiki.onap.org/display/DW/Proposed+Updates+to+Release+Templates+%28Dublin%29+-+Security+Questions

 

As a result, I have updated the following templates

M2 - https://wiki.onap.org/display/DW/Deliverables+for+Functionality+Freeze+Milestone+Checklist+Template

M3 - https://wiki.onap.org/display/DW/Deliverables+for+API+Freeze+Milestone+Checklist+Template

M4 - https://wiki.onap.org/display/DW/Deliverable+for+Code+Freeze+Milestone+Checklist+Template

 

Best regards

Catherine