Hi, As per our TSC procedures, I should submit an Email report from the perspective of the security coordinator.
***We are establishing the vulnerability procedures for ONAP.*** -------------------------------------------------------------------------------- The approach we will follow is use the fd.io vulnerability procedures as a template, and adapt it to ONAP. The timeline is to have this ready to submit to the TSC for TSC approval in the developers meeting in June. (Draft early, review amongst the members who have contacted me). Part of the vulnerability procedures will be to have a vulnerability response team (a small one). We'll get onto looking at that when we get a draft of the procedures so it becomes clear what the expectations are. ****Proactive activities**** We are trying to identify a few proactive activities to start with. We can't start with everything, but would like to prioritize a few small steps. ***Security: Sub-committee, coordinator.*** We have discussed the idea of a security subcommittee. The motivation is that it provides transparency about who is involved, and is a mechanism for ensuring that there is dedicated security support. Note: The security subcommittee is not the vulnerability response team. Here is a the draft proposal for the subcommittee: - TSC subcommittee name: Security Subcommittee (SEC) - TSC subcommittee purpose: - The security subcommittee is responsible for defining and proposing activities, process and guidelines that aim to increase the security of ONAP. This includes, but is not limited to: o Creating and maintaining vulnerability procedures. o Defining ,promoting and proposing proactive security activities (to be executed by and with the agreement of active projects). o Providing best practices, security guidelines. The security subcommittee is advisory by nature, and not authoritative. It may make proposals and provide advice to projects and to the TSC. The security subcommittee operates on a rough consensus basis. If the subcommittee is unable to reach consensus on what advice to offer, the subcommittee will refer the matter to the TSC. TSC security subcommittee expected deliverables: Security procedures, guidelines, proposed activities and best practices aimed at supporting a secure ONAP platform. TSC security subcommittee participants: Contained on the security committee web-page. The participants self nominate to the sub-committee chair, who confirms the participants with the TSC. TSC security sub-committee chair is the same as the security coordinator. Meeting Frequency: Weekly. ***************************** Draft security coordinator definition. * Coordination Area: TSC Security * Coordination area responsibility description: * Ensure required security approaches, practices and procedures are in place for the ONAP platform. * Ensure that there is a functioning ONAP security community. * May do so with the support of a Security sub-committee. * Reporting cadence: Weekly * Area Coordinator: Question to the TSC: Do we go ahead with both coordinator and sub-committee, or just the sub-committee. **Other**: The team will go for weekly meetings. -- Best Regards, Steve [Ericsson]<http://www.ericsson.com/> STEPHEN TERRILL Technology Specialist DUIC, Systems and Technology Development Unit IP & Cloud Business Unit, IT & Cloud Products Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 [email protected] www.ericsson.com [http://www.ericsson.com/current_campaign]<http://www.ericsson.com/current_campaign> Legal entity: Ericsson EspaƱa S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
