The Security Forum is where LFN community members can discuss anything security related. That may include threat analysis, industry trends, best practices, tools, etc.
Interested parties:
| Name | Affiliations | Interests |
|---|---|---|
| Samsung, ONAP TSC, LFN TAC, LFN MAC | Cross-community collaboration | |
| Tony Hansen | AT&T, ONAP SECCOM | best practices, tools, cross-community collaboration, CII badging |
| LFN, ONAP, Anuket, US-GOV-OPS | best practices, considerations for software release | |
| LFN, LFN MAC | Messaging, communications, content | |
| MITRE Corp, ONAP SECCOM | Adversarial threat, Threat Informed Defense | |
| Muddasar Ahmed | MITRE Corp, ONAP SECCOM | Adversarial threat, Threat Informed Defense |
| Ericsson, ONAP Architecture Subcommittee, SECCOM | security architecture, best practices, industry trends | |
| Amy Zwarico | AT&T, ONAP SECCOM | Security architecture, software composition analysis, static application security testing, software bill of materials, PKI, cross community collaboration |
| F5 Networks, ONAP SECCOM | Best practices sharing accross LFN projects, security architecture, automation, software composition analysis, static application security testing, software bill of materials, security in the containers scanning, adoption of tools to increase software security. | |
| Orange, Anuket | Cross-community collaboration, tools, open source software security, software bill of materials, zero trust architecture | |
| Ruben Merz | Swisscom | Security architecture, cross-community collaboration, security automation, zero-trust architecture, PKI, telco security topics, supply-chain security, secure CI/CD |
| Ragashree M C | Nokia, CNCF, Anuket, OWASP | Security architecture, best practices, industry trends, cross-community collaboration, security automation, |
| Samuli Kuusela | Ericsson, ONAP SECCOM, Anuket | Cross-community collaboration, best practices, security architecture |
Mailing list:
https://lists.lfnetworking.org/g/lfn-securitywg
Meeting minutes:
August-18-2021 Forum kick-off meeting
Attendees:
Agenda/Minutes:
- Focus areas
- Best practices could be further broken down to 'developer best-practices' and 'end-user best practices'
- How can we collaborate with the OpenSSF - https://github.com/ossf , https://openssf.org
- Are there other initiatives, in addition to the OpenSSF, that we should be aware of? Suggestion to add a reference in our wiki.
- What might be unique to the LFN (e.g. CI/CD) that would require a separate security work? At least we need synchronization.
- Reach out to David Wheeler and organize an introduction call - help define the boundaries between OpenSSF and LFN security. Recent Blog By David Wheeler: https://www.linuxfoundation.org/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/
- Amy's presentation to the LFN board could be a good starting point for defining the unique security aspects of networking projects. An opportunity to be though leaders on security practices.
- Please upload any material or links to our existing wiki space - treat it as a sandbox. We can discuss it on the mailing list.
- We should focus on understanding what projects are doing, not be too prescriptive.
- Our main objective for now should be knowledge sharing. Later we can decide to broaden the scope, producing white papers, consolidating best-practices, etc.
- How to test security? How to detect vulnerabilities in dependencies (added to best-practices wiki page)
- Preferred mode of operation
- Uploading relevant material to the wiki pages
- ~Monthly meeting, where authors of the uploaded material can walk us through it.
- Additionally, a newsletter or meeting notes to highlight the new topics.
Action items:
- Reach out to David Wheeler an organize an introduction to the OpenSSF Ranny Haiby
- Upload material to the wiki space - @all
Recording:
LFN_Security_Forum_August_18_2021.mp4
November-18-2021 SBOM Discussion
Agenda:
- ONAP SBOM status - https://wiki.onap.org/display/DW/Software+Bill+of+Materials – Pawel/Amy
- Anuket SBOM work - https://github.com/cntt-n/CNTT/blob/master/doc/ref_model/chapters/chapter07.md#77-open-source-software-security - Karine
- Using Scancode.io for Docker image license and vulnerability scanning -https://static.sched.com/hosted_files/onesummit2021/78/one2021.pdf - Ranny
- recent NTIA recommendations for SBOM. They are quickly becoming de facto standards -https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom - Amy
- Q&A
- Best practices discussion
- Next steps