Learn about ONAP's successful vulnerability management strategy in this conference talk that explores how the Open Network Automation Platform became the leading LFN Project for fixing vulnerabilities. Discover the comprehensive CVE process integration implemented to reduce supply chain vulnerabilities, including the community's systematic approach to upgrading packages in each release. Explore how the security subcommittee developed an effective process over ten releases, incorporating software composition analysis in build pipelines and detailed package upgrade tasks. Gain insights into the project's successful response to the log4j zero-day vulnerability and their ongoing efforts to improve code quality. Understand practical strategies for automating package upgrade analysis, simplifying complex upgrade recommendations, and collaborating with vendors and other Linux Foundation projects on vulnerability management. Follow the journey from initial security decisions to current automated processes, learning valuable lessons for managing open source software security at scale.
Overview
Syllabus
Introduction
Agenda
What is ONAP
How ONAP manages dependencies
Log4J vulnerability
Whats next
Message to projects
Taught by
LF Networking
Related Courses
-
Using Vulhub for Dockerized Vulnerability Replication
-
Stranger Danger - Your Java Attack Surface Just Got Bigger
-
Vulnerabilities and Misconfigurations in Cloud-Native Security - Two Sides of the Same Risk Coin
-
Security Concerns in Every Stage of the Software Supply Chain
-
Managing Vulnerabilities in Open-Source Dependencies
-
Surviving the CVE Firehose: Strategies for Open Source Product Security
