Versions Compared

Old Version 21

changes.mady.by.user Samuli Kuusela

Saved on

compared with

New Version Current

changes.mady.by.user Ranny Haiby

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Meeting RecordingThe Security Forum is where LFN community members can discuss anything security related. That may include threat analysis, industry trends, best practices, tools, etc.

...

NameAffiliationsInterests
Ranny Haiby
SamsungLF, ONAP TSC, LFN TAC, LFN MACCross-community collaboration
Tony HansenAT&T, ONAP SECCOMbest practices, tools, cross-community collaboration, CII badging

David McBride

LFN, ONAP, Anuket, US-GOV-OPSbest practices, considerations for software release

Brandon Wick

LFN, LFN MACMessaging, communications, content

Robert Heinemann

MITRE Corp, ONAP SECCOMAdversarial threat, Threat Informed Defense
Muddasar AhmedMITRE Corp, ONAP SECCOMAdversarial threat, Threat Informed Defense

Byung-Woo Jun

Ericsson, ONAP Architecture Subcommittee, SECCOMsecurity architecture, best practices, industry trends
Amy ZwaricoAT&T, ONAP SECCOMSecurity architecture, software composition analysis, static application security testing, software bill of materials, PKI, cross community collaboration

Pawel Pawlak

F5 Networks, ONAP SECCOM

Best practices sharing accross LFN projects, security architecture, automation, software composition analysis, static application security testing, software bill of materials, security in the containers scanning, adoption of tools to increase software security.  

Karine Sevilla

Orange, AnuketCross-community collaboration, tools, open source software security, software bill of materials, zero trust architecture
Ruben MerzSwisscomSecurity architecture, cross-community collaboration, security automation, zero-trust architecture, PKI, telco security topics, supply-chain security, secure CI/CD
Ragashree M CNokia, CNCF, Anuket, OWASPSecurity architecture, best practices, industry trends, cross-community collaboration, security automation,
Samuli KuuselaEricsson, ONAP SECCOM, AnuketCross-community collaboration, best practices, security architecture

...

Table of Contents
minLevel3

April-21-2022 Meeting with David Wheeler


  • OpenSSF badging:
  • Applicability to "non-code" projects
    • David invites review of the best-practices, and then providing feedback to him
  • Re-starting badging effort
    • Should be possible
  • Training 
    • There is a LF certificate that is good for two year
    • Recommend to have one maintainer take at least one course
  • Automatic scorecards
    • Automatically scan the repos
    • SLSA
  • Sigstore
    • Verify public key used
    • detect malicious signing, revocation
    • Facilitates easy signing of artifacts
    • There are several integrations ready, e.g. Maven
  • Recommendations:
    • Learn to develop secure code
    • OpenSSF badging
    • Use vulnerability tools
    • Monitor for vulnerabilities
    • Enable rapid updates
  • LFX SECURITY DASHBOARDS
    • Already have several of the automated tools integrated
  • Muddasar Ahmed - https://saf.mitre.org/#/ - Security Automation Framework for DevOps pipelines
  • Muddasar Ahmed - Any best practices for people and processes (in addition to the code itself)? 
    • The training course is people oriented
    • Some of the badging are process oriented
    • New initiative "Secure Software Factory" - aimed at recommending a pipeline for secure software production
  • Follow-up

Slides: https://docs.google.com/presentation/d/1VrLTfSV4K75XZCG7Mtb00RXQcGJFKk6Y0QQ91BVflCw/edit

Recording:video1793455011.mp4


August-18-2021 Forum kick-off meeting 

...

LFN_Security_Forum_August_18_2021.mp4

November-18-2021 SBOM Discussion

Agenda/Minutes:

  • ONAP SBOM status - https://wiki.onap.org/display/DW/Software+Bill+of+Materials – Pawel/Amy
    • Still WIP. Expecting to generate SBOM soon
    • Started with existing set of NTIA requirements
    • Focusing on SPDX format provides ~85% of the minimum required BOM. Might require some manual work to complete.
    • Working on making the SPDX task part of the CI chain.
    • Q: What are the disadvantages of CycloneDX? A: Failed to extract information in some cases.  SPDX seems to be more successful. Also, some operators may required SPDX format for the BOM.
    • There are tools that can generate different formats of SBOM and translate between formats. Different customers may require different formats.
    • Q: Are there CI plugins (specifically for Maven) that can trigger generating the SBOM? Jessica Wagantall may have some such configurations available. Robert Vargawill reach out.
    • Q: How is signature related to SBOM? A: There is a standard methodology in the LF. ONAP is following that. It is mandated by mavenCentral.
  • Anuket SBOM work - https://github.com/cntt-n/CNTT/blob/master/doc/ref_model/chapters/chapter07.md#77-open-source-software-security - Karine
    • Started with the NTIA document. analyzed SPDX as well. SWID Tags came up in the analysis as well.
    • At this point planning to come up with recommendation only, no requirement yet.
    • Muddasar Ahmed - Generating the SBOM should become transparent to developers and project leaders.
    • The document linked above is planned to be a living document reflecting recent evolution of SBOM specifications. May include more prescriptive requirements for tools and process.
    • Muddasar Ahmed - SPDX 3.0 specifications will most likely be accompanied by a 3.0 version of the SPDX tool.
  • Using Scancode.io for Docker image license and vulnerability scanning -https://static.sched.com/hosted_files/onesummit2021/78/one2021.pdf - Ranny
  • recent NTIA recommendations for SBOM. They are quickly becoming de facto standards -https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom - Amy
    • Minimum requirements are already out - 10 fields - name, URL, etc.
    • More fields are in the works. There seem to be alignment between NTIA specification and SPDX.
    • There are external details in the NTIA specifications, some are ambiguous.
    • US  entities may be required (by a US executive order from may 2021) to be aware of their software composition. SBOM may soon become part of RFCs issued by such companies.
  • Q&A
  • Next steps
    • Add links to ONAP page and presentation.
    • Robert Varga  - Add information received from Jessica regarding automation scripts 
    • Muddasar Ahmed , Pawel Pawlak - Will add a session to the Jan-2022 developer forum

Recording:

Security_Forum_11_18_2021.mp4

December-12-2021 DDoS mitigation Discussion

Agenda/Minutes:

  • Mon Dec 13, 2021 10am – 11:30am Pacific Time  zoom.us/j/95225604398 
  • Peraton Labs DDOS Mitigation Technology Overview
    • Slide decks are not available for distribution yet - This is an introduction meeting. Follow-up meeting will be scheduled when slides are available if necessary
    • Peraton's project is focused on protecting edge2edge of a network operator's network. Focusing on OPS-5G DDoS attacks carried out by bots. The project delivers predominantly software, with some interfaces to hardware (switches). In OPS-5G network programmability is used as a measure for mitigating attacks (while not letting the programmability compromise security).
    • Discussion about where the project fits in the LFN landscape.
    • Next steps - Have a slide deck with technical material to share and have a follow-up meeting.

Next steps:


Action Items


March-21-2022 DDoS mitigation Discussion (follow up to Dec 12 discussion)

Agenda/Minutes:

  • This is a follow-up to the December meeting, including technical slides that were not previously available

Next steps:


Action Items


Recording:  video1184668288.mp4

Slides:  ProD3 overview for LF 20220321.pdf