Subject: [Akraino Security Sub-Committee] Akraino Security subgroup weekly meeting
When: Occurs weekly starting 6/1/2020 from 11:00 AM to 12:00 PM Pacific Time.
Where:

Join Zoom Meeting

https://zoom.us/j/94195918783

Meeting ID: 941 9591 8783

One tap mobile

+16699006833,,94195918783# US (San Jose) 12532158782,,94195918783# US

+(Tacoma)

Dial by your location

+1 669 900 6833 US (San Jose)

+1 253 215 8782 US (Tacoma)

+1 346 248 7799 US (Houston)

+1 646 558 8656 US (New York)

+1 301 715 8592 US (Germantown)

+1 312 626 6799 US (Chicago)

877 369 0926 US Toll-free

855 880 1246 US Toll-free

Meeting ID: 941 9591 8783

Find your local number: https://zoom.us/u/aee0gyHkh8

13 Jul 2020   Due to an urgent conflict today's meeting, 7/13/2020, has been cancelled.  The following email was sent out with a request for input regarding Maturity level security review requirements.

The main agenda item for today was to discuss incubation and maturity security requirements for blueprints.  Please review the updates that I have made to the following link concerning Incubation and Maturity:  PASS/FAIL Criteria for Vuls, Lynis and Kube-Hunter:

https://wiki.akraino.org/display/AK/Steps+To+Implement+Security+Scan+Requirements

Currently the difference between Incubation and Maturity Security Requirements is that exceptions are more readily granted for incubation.  Exceptions for maturity should be granted only for cases where the issue does not apply to the blueprint (ie specific code/configuration is not being used) or a separate security measure is being taken to mitigate the issue.  Any exception granted for the Maturity phase should be very clearly documented.

For Maturity we must require a higher security level than Incubation, yet these requirements need to be testable by BluVal and easily quantified.  If there are additional security measures that you feel should be added to the Maturity requirements for Akraino please respond to the security team, security@lists.akraino.org, with those recommendations for discussion.  Please do this as soon as possible because we need to provide all of our Maturity requirements to the TSC in the next two weeks for their review/approval.

20 May 2020 

Agenda:

ICN BP Security review (Bluval results): Kuralamudhan Ramakrishnan & Igor Duarte Cardoso: - 20 - 30 mins

23 Oct 2019 

Attendees:

• Randy Stricklin
• Ken Yi

Topics:

• CII badging: Security. Randy
  • How to expand the security sub-committee and involve more participants
  • Randy will ask people from ATT IOT team to talk about IOT edge applications and potential requirements to security
• Security scan integration (Skipped)

10/09/2019

Attendees:

• Randy Stricklin
• Daniil Egranov
• David Plunkett
• Ken Yi

Topics:

• Security tool integration status check
  • PTLs might be under the release pressure, need to talk to PTLs individually. (Ken will follow up)
  • Clarification: Just one sample repo location for each language, no need to list all repos
  • David will fill in the Network Cloud Blueprint Family  as an example
• CII badging
  • Not all of them relating to security
  • Suggest to TSC to have CII as part of maturing process
  • Each blueprint project is not created for the same audience, can we mandate the same set of requirements?
  • Should process subcomittee to adopt CII badging to have a standard measurement. 

9/25/2019

Attendees:

• Randy Stricklin
• Tina Tsou
• Ken Yi

Topics:

• CII (Core Infrastructure Initiative) Badging in ONAP - Amy Zwarico
  • Overall is positive, almost all projects passing CII badging
  • Frustration from the projects: Priority, ...
  • Tony's dashboard 
  • ONAP do badge at per project level
  • Using script to auto-generate Jira ticket. 
  • Linux Foundation code of conduct
  • Which part of CII is important for Akraino
  • ONAP vulnerability management process
• SonarCloud integration - Eric Ball

AI:

• Randy will drive the CII badging discussions. We will allocate 20 minutes in future sec-committee meetings. 

Meeting Content (minutes / recording / slides / other):

• July 17, 2019 Meeting cancelled
• May 22, 2019 minutes / recording / slides
• May 8, 2019 Meeting cancelled
• April 24, 2019 minutes / recording / slides
• April 10, 2019 minutes / recording /slides
• March 27, 2019 minutes / recording /slides
• March 13, 2019 minutes / recording /slides (Meeting cancelled due to Zoom technical issues)
• February 27, 2019 minutes / recording /slides
• February 13, 2019 minutes / recording/ slides
• January 30, 2019 minutes / recording / slides
• January 16, 2019 minutes / recording / slides