Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts

Index Introduction Scope Test Coverage Identified Vulnerabilities DAP-01-002 WP2: Insufficient context separation leads to RCE (High) DAP-01-003 WP1: HTTP Parameter Pollution through invocation (Low) ” From https://dapr.io/#about This report describes the results of a large-scale and thorough security assessment targeting the Microsoft Distributed Application Runtime (Dapr) software complex1 substantial research and acquired a very good coverage over the scope. Cure53 managed to identify twelve security-relevant issues affecting the Dapr complex. Eight problems represent vulnerabilities and four

diversity of languages and developer frameworks.” From https://dapr.io/#about This report continues a security-driven cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and and source code audit against the Dapr software. In addition to shedding light on the state of security on some new features of Dapr, the report also highlights what has been done in terms of fixing the issues clarified that Dapr is a distributed application runtime for cloud and edge deployments. In this context, the work was requested by Microsoft and carried out by Cure53 in late January and early February

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: 6th September 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary 3 Audit found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Rd., Ste. 460 Herndon, VA 20171 corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Specification Name Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140AA] FIPS 140-2 Annex A: Approved Security Functions 6/10/2019 [140AC] FIPS 140-2 Annex

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski This report is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

1. Available commands 4.5.2. Subshell and completion mode 4.5.3. Unix like environment 4.5.4. Security 4.6. Remote 4.6.1. SSHd server 4.6.2. JMX MBeanServer 4.7. Log 4.7.1. Configuration files 14. Security 4.14.1. Realms 4.14.2. Users, groups, roles, and passwords 4.14.3. Passwords encryption 4.14.4. Managing authentication by key 4.14.5. RBAC 4.14.6. SecurityMBean 4.14.7. Security providers a features XML (karaf-feature-archetype) 5.13.5. Create a KAR file (karaf-kar-archetype) 5.14. Security framework 5.14.1. Overview 5.14.2. Schema and Deployer 5.14.3. Architecture 5.14.4. Available

the console remotely. The management layer is also accessible remotely. • Security: Apache Karaf provides a complete security framework (based on JAAS), and providing RBAC (Role-Based Access Control) mechanism backlog-tracer-dump backlog-tracer-info backlog-tracer-start backlog-tracer-stop context-info context-list context-start context-stop endpoint-list route-info route-list route-profile route-reset-stats route-resume class ... ProtectionDomain ProtectionDomain null null java.security.Permissions@6521c24e ( ("java.security.AllPermission" "" "") ) Signers

hosts . . . . . . . . 218 13 Security guide 219 13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 13.1.1 General Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . 220 13.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 13.3.1 The Security Model . . . . . . . . . . . . . . . . . . . machine which you no longer need, right-click on it in the Manager’s VM list select “Remove” from the context menu that comes up. A confirmation window will come up that allows you to select whether the machine