Re: [onap-tsc] Review of SDC known vulnerability Analysis

2018-04-04 Thread Stephen Terrill 
Hi Dan,

Thank-you for the clarification.  When going over the status of my review with 
the security sub-committee I received a question that made me realize that I 
couldn’t quite answer, so I have a follow-up question.

The sdnc-oam is in gerrit so it is downloadable, however from the description 
below it is not included in SDNC when it is instantiated with OOM – is that 
correct?

Could any of the vulnerabilities allow malicious code to be created as an 
output of the dgbuilder and find their way into SDNC as part of a DG?  The 
vulnerabilities that subject dgbuilder to DDoS wouldn’t but potential malicious 
code insertion could ….

BR,

Steve



From: TIMONEY, DAN [mailto:dt5...@att.com]
Sent: Monday, April 02, 2018 7:13 PM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Re: Review of SDC known vulnerability Analysis

Steve,

The dgbuilder is a design time tool.  We use it to create and update the 
directed graphs, which then get stored in Gerrit and managed from there as 
source code.

Eventually we’d like to support using the dgbuilder as an editor integrated 
with SDC at run time to update and deploy new versions of directed graphs – 
especially to allow rapid deployment of patches.  However, in its current form, 
dgbuilder is really only appropriate as a design time tool.

Dan

--
Dan Timoney
SDN-CP / OpenECOMP SDN-C SSO

Please go to  D2 ECOMP Release Planning 
Wiki for 
D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find 
key Release Planning Contact Information.

From: Stephen Terrill 
>
Date: Monday, April 2, 2018 at 3:45 AM
To: "TIMONEY, DAN" >
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>
Subject: Review of SDC known vulnerability Analysis

Hi Dan,

Thank-you for the report on the SDC known vulernabilities - 
https://wiki.onap.org/pages/viewpage.action?pageId=28379582
 .

For most of the impacts it states that low risk – only occurs in design tool 
(dgbuilder).  How is this tool used by SDNC?  Is it used in the runtime 
environment, or can it be called in the run-time environment?

Best Regards,

Steve


[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Review of SDC known vulnerability Analysis

2018-04-02 Thread TIMONEY, DAN 
Steve,

The dgbuilder is a design time tool.  We use it to create and update the 
directed graphs, which then get stored in Gerrit and managed from there as 
source code.

Eventually we’d like to support using the dgbuilder as an editor integrated 
with SDC at run time to update and deploy new versions of directed graphs – 
especially to allow rapid deployment of patches.  However, in its current form, 
dgbuilder is really only appropriate as a design time tool.

Dan

--
Dan Timoney
SDN-CP / OpenECOMP SDN-C SSO

Please go to  D2 ECOMP Release Planning 
Wiki for 
D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find 
key Release Planning Contact Information.

From: Stephen Terrill 
Date: Monday, April 2, 2018 at 3:45 AM
To: "TIMONEY, DAN" 
Cc: "onap-sec...@lists.onap.org" , onap-tsc 

Subject: Review of SDC known vulnerability Analysis

Hi Dan,

Thank-you for the report on the SDC known vulernabilities - 
https://wiki.onap.org/pages/viewpage.action?pageId=28379582
 .

For most of the impacts it states that low risk – only occurs in design tool 
(dgbuilder).  How is this tool used by SDNC?  Is it used in the runtime 
environment, or can it be called in the run-time environment?

Best Regards,

Steve


[Ericsson]


STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc