Hi, Today in the security sub-committee we discussed some of the known vulnerabilities identified in Nexus IQ for the MSB project. We went over the template that was filled in, that contains excellent detail of the analysis: https://wiki.onap.org/pages/viewpage.action?pageId=25439016. We agreed that based on this, there is no security risk on the way that the project uses the external modules (based on the received analysis - here as the security sub-committee is not an expert in the code, we trust the analysis - and here the analysis contain very good details for the security sub-committee to review and have confidence in the analysis) for Beijing, hence no issue is identified for going forward with the release or using MSB in Beijing; at least from the security sub-committees recommendation.
We again discussed about changing the status in Nexus IQ and stated that is not recommended as it needs to re-evaluated in Casablanca to ensure that we don't change the way we use the modules and that the analysis remains the same. Removing the vulnerability mark in Nexus IQ opens up for the risk of not evaluating this in Casablanca. We also stated that it would be a good practice to include in the security part of the Release Notes a comment relating to this; as well as link to the template containing the analysis. This gives us full transparency. I think this was a good exercise and the approach can be taken as a best practice. BR, Steve [Ericsson]<http://www.ericsson.com/> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 [email protected] www.ericsson.com [http://www.ericsson.com/current_campaign]<http://www.ericsson.com/current_campaign> Legal entity: Ericsson EspaƱa S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
