LFN Security Forum

Meeting RecordingThe Security Forum is where LFN community members can discuss anything security related. That may include threat analysis, industry trends, best practices, tools, etc.

Interested parties:

Mailing list:

https://lists.lfnetworking.org/g/lfn-securitywg

Meeting minutes:

April-21-2022 Meeting with David Wheeler

• OpenSSF badging:
  • https://bestpractices.coreinfrastructure.org/en/criteria/0
• Applicability to "non-code" projects
  • David invites review of the best-practices, and then providing feedback to him
• Re-starting badging effort
  • Should be possible
• Training 
  • There is a LF certificate that is good for two year
  • Recommend to have one maintainer take at least one course
• Automatic scorecards
  • Automatically scan the repos
  • SLSA
• Sigstore
  • Verify public key used
  • detect malicious signing, revocation
  • Facilitates easy signing of artifacts
  • There are several integrations ready, e.g. Maven
• Recommendations:
  • Learn to develop secure code
  • OpenSSF badging
  • Use vulnerability tools
  • Monitor for vulnerabilities
  • Enable rapid updates
• LFX SECURITY DASHBOARDS
  • Already have several of the automated tools integrated
• Muddasar Ahmed - https://saf.mitre.org/#/ - Security Automation Framework for DevOps pipelines
• Muddasar Ahmed - Any best practices for people and processes (in addition to the code itself)? 
  • The training course is people oriented
  • Some of the badging are process oriented
  • New initiative "Secure Software Factory" - aimed at recommending a pipeline for secure software production
• Follow-up
  • The OpenSSF is open to everyone
  • If you can't find what you were looking for, contact David Wheeler - dwheeler@linuxfoundatioh.org

Slides:

Recording:video1793455011.mp4

August-18-2021 Forum kick-off meeting 

Attendees:

Agenda/Minutes:

• Focus areas
  • Best practices could be further broken down to 'developer best-practices' and 'end-user best practices'
  • How can we collaborate with the OpenSSF - https://github.com/ossf , https://openssf.org
  • Are there other initiatives, in addition to the OpenSSF, that we should be aware of? Suggestion to add a reference in our wiki.
  • What might be unique to the LFN (e.g. CI/CD) that would require a separate security work? At least we need synchronization.
  • Reach out to David Wheeler and organize an introduction call - help define the boundaries between OpenSSF and LFN security. Recent Blog By David Wheeler: https://www.linuxfoundation.org/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/
  • Amy's presentation to the LFN board could be a good starting point for defining the unique security aspects of networking projects. An opportunity to be though leaders on security practices.
  • Please upload any material or links to our existing wiki space - treat it as a sandbox. We can discuss it on the mailing list.
  • We should focus on understanding what projects are doing, not be too prescriptive. 
  • Our main objective for now should be knowledge sharing. Later we can decide to broaden the scope, producing white papers, consolidating best-practices, etc.
  • How to test security? How to detect vulnerabilities in dependencies  (added to best-practices wiki page)
• Preferred mode of operation
  • Uploading relevant material to the wiki pages
  • ~Monthly meeting, where authors of the uploaded material can walk us through it.
  • Additionally, a newsletter or meeting notes to highlight the new topics.

Action items:

• Reach out to David Wheeler an organize an introduction to the OpenSSF Ranny Haiby
• Upload material to the wiki space - @all

Recording:

LFN_Security_Forum_August_18_2021.mp4

November-18-2021 SBOM Discussion

Agenda/Minutes:

• ONAP SBOM status - https://wiki.onap.org/display/DW/Software+Bill+of+Materials – Pawel/Amy
  • Still WIP. Expecting to generate SBOM soon
  • Started with existing set of NTIA requirements
  • Focusing on SPDX format provides ~85% of the minimum required BOM. Might require some manual work to complete.
  • Working on making the SPDX task part of the CI chain.
  • Q: What are the disadvantages of CycloneDX? A: Failed to extract information in some cases.  SPDX seems to be more successful. Also, some operators may required SPDX format for the BOM.
  • There are tools that can generate different formats of SBOM and translate between formats. Different customers may require different formats.
  • Q: Are there CI plugins (specifically for Maven) that can trigger generating the SBOM? Jessica Wagantall may have some such configurations available. Robert Vargawill reach out.
  • Q: How is signature related to SBOM? A: There is a standard methodology in the LF. ONAP is following that. It is mandated by mavenCentral.
• Anuket SBOM work - https://github.com/cntt-n/CNTT/blob/master/doc/ref_model/chapters/chapter07.md#77-open-source-software-security - Karine
  • Started with the NTIA document. analyzed SPDX as well. SWID Tags came up in the analysis as well.
  • At this point planning to come up with recommendation only, no requirement yet.
  • Muddasar Ahmed - Generating the SBOM should become transparent to developers and project leaders.
  • The document linked above is planned to be a living document reflecting recent evolution of SBOM specifications. May include more prescriptive requirements for tools and process.
  • Muddasar Ahmed - SPDX 3.0 specifications will most likely be accompanied by a 3.0 version of the SPDX tool.
• Using Scancode.io for Docker image license and vulnerability scanning -https://static.sched.com/hosted_files/onesummit2021/78/one2021.pdf - Ranny
• recent NTIA recommendations for SBOM. They are quickly becoming de facto standards -https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom - Amy
  • Minimum requirements are already out - 10 fields - name, URL, etc.
  • More fields are in the works. There seem to be alignment between NTIA specification and SPDX.
  • There are external details in the NTIA specifications, some are ambiguous.
  • US  entities may be required (by a US executive order from may 2021) to be aware of their software composition. SBOM may soon become part of RFCs issued by such companies.
• Q&A
• Next steps
  • Add links to ONAP page and presentation.
  • Robert Varga  - Add information received from Jessica regarding automation scripts 
  • Muddasar Ahmed , Pawel Pawlak - Will add a session to the Jan-2022 developer forum

Recording:

Security_Forum_11_18_2021.mp4

December-12-2021 DDoS mitigation Discussion

Agenda/Minutes:

• Mon Dec 13, 2021 10am – 11:30am Pacific Time  zoom.us/j/95225604398 
• Peraton Labs DDOS Mitigation Technology Overview
  • Slide decks are not available for distribution yet - This is an introduction meeting. Follow-up meeting will be scheduled when slides are available if necessary
  • Peraton's project is focused on protecting edge2edge of a network operator's network. Focusing on OPS-5G DDoS attacks carried out by bots. The project delivers predominantly software, with some interfaces to hardware (switches). In OPS-5G network programmability is used as a measure for mitigating attacks (while not letting the programmability compromise security).
  • Discussion about where the project fits in the LFN landscape.
  • Next steps - Have a slide deck with technical material to share and have a follow-up meeting.

Next steps:

Action Items

March-21-2022 DDoS mitigation Discussion (follow up to Dec 12 discussion)

Agenda/Minutes:

• This is a follow-up to the December meeting, including technical slides that were not previously available

Next steps:

Action Items

Recording:  video1184668288.mp4

Slides:  ProD3 overview for LF 20220321.pdf