====== OPNFV Security Group ====== A group dedicated to improve OPNFV security through architecture, documentation, code review, upstream inter-work with other groups, vulnerability management and security research. Provide an ‘umbrella’ group to encourage development of security centric functions within the OPNFV eco-system. Effectively handle vulnerability and threats in a co-ordinated manner. ===== OPNFV eco-system ===== List of some major components in OPNFV eco-system and link to the security advisory, CVE-list, etc. * [[Virtualization|Virtualization]] * [[Virtualization-networking|Network Virtualization]] * [[SDN-Controller-framework|SDN Controller framework]] * [[Automation-and-Virtualized-Infrastructure-Manager|OpenStack]] * [[Virtual-Storage|Virtual Storage]] ===== Key Project Facts ===== **Project Creation Date:** Jan 22, 2015 \\ **Lifecycle State:** Approved \\ **Project Lead:**[[lhinds@redhat.com|Luke Hinds (Red Hat)]] \\ **Jira Project Name:** OPNFV Security group \\ **Jira Project Prefix:** opnfv-sec \\ ===== Members ===== * [[luke.hinds@nokia.com|Luke Hinds (Red Hat)]] * [[marcel.winandy@huawei.com|Marcel Winandy (Huawei)]] * [[ari.pietikainen@ericsson.com|Ari Pietikäinen (Ericsson)]] * [[sona.sarmadi@enea.com| Sona Sarmadi (ENEA)]] ===== OPNFV Security Group Processes ===== **[[security:osvm|OPNFV Security Vulnerability Management (OSVM)]]** **[[security:securecode|Secure Coding Guidelines]]** ===== Security Projects ===== **The OPNFV platform hosts the following security projects** **[[requirements_projects:inspector|Inspector]]** Ensure the existing Audit framework for the critical components in OPNFV are extensive enough and compliant to industry standards and foreseeable business use cases. **[[security:opnfv-security-guide|OPNFV Security Guide]]** Guide to securing the OPNFV platform. **Other security projects within the OPNFV** [[:moon|Moon]] Moon aims at designing and developing a security management system for OPNFV. We can create security managers to protect different layers of the NFV infrastructure, and choose various security project mechanisms “a la cart” to enforcement related security managers ===== Project Work Areas ===== [[security:int|Internal Security Policies]] [[security:docs|Documentation]] [[security:upstream|Upstream Standards]] [[security:research|Research Projects]] ===== Member Structure ===== {{ :member.png?nolink |}} ====== Meeting Details ====== **Meeting Times** Every Wednesday at 14:00pm UTC **IRC** #opnfv-sec * Note, we only meet on IRC. Conference bridges can be set up for specific topics. [[meetings:security|Meeting Info & Log]] ====== Security Related News/blogs ====== * [[http://www.etsi.org/news-events/news/1015-2015-10-news-etsi-nfv-isg-publishes-security-and-reliability-specifications?highlight=YTozOntpOjA7czozOiJuZnYiO2k6MTtzOjg6InNlY3VyaXR5IjtpOjI7czoxMjoibmZ2IHNlY3VyaXR5Ijt9|ETSI released three more specs relevant for security]] * [[http://www.cisecurity.org/critical-controls.cfm|CIS published update on their security guidance]] * [[http://venturebeat.com/2015/10/07/amazon-launches-inspector-a-tool-that-automatically-finds-security-compliance-issues/|Amazon launches Inspector, a tool that automatically finds security and compliance issues]] * [[http://venturebeat.com/2015/10/07/google-launches-its-cloud-platform-security-scanner-out-of-beta-minutes-after-amazon-announced-inspector/|Google launches its Cloud Platform Security Scanner ..]] * [[https://dzone.com/articles/aws-deployment-with-security-monkey|AWS Deployment With Security_monkey]] * [[http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.html|Certificate authorities issue SSL certificates to fraudsters]] * [[http://www.networkworld.com/article/2992503/security/sans-20-critical-security-controls-you-need-to-add.html|SANS: 20 critical security controls you need to add]] * [[https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf|How Diffie-Hellman Fails in Practice]]