SberBank story: moving Istio from PoC to production Igor Gustomyasov, Sber Maksim Chudnovskii, IBM Sber position across key areas Best client experience Technological leadership In financial services January 2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January 2019 PROD PoC March 2020 December 2020 Innovation trigger Peak of inflated Expectations Though of Disillusionment

return fmt.Errorf("uknown type: %v in %v", header.Typeflag, header.Name) } } return nil } PoC A complete PoC is available below that demonstrates how the vulnerability could be exploited. Copy the file either: panic: open fileToCopy: no such file or directory goroutine 1 [running]: main.main() /tmp/go-poc/main.go:61 +0x1db exit status 2 … which means the attacker did not win the race. Or : panic: +++++++++++++++ contents. The attacker has won the race. +++++++++++++++ goroutine 1 [running]: main.main() /tmp/go-poc/main.go:63 +0x1cc … which means the attacker won the race. 44 Istio Security Audit, 2023 10: H2c

cluster ● 12k+ pods ● 750+ nodes Istio at Mercari 7 Istio at Mercari Apr 2019 Started Istio PoC Sep 2019 First release in production Feb 2021 ~25% production services ~50% development