The Open Source Technology Improvement Fund (OSTIF) is proud to share the results of our security audit of Linkerd. Linkerd is an open source service mesh for Kubernetes which prioritizes reliability, security, and simplicity. Thanks to the help of 7ASecurity and the Cloud Native Computing Foundation, this project can continue to provide lightweight and security-focused service mesh for users.
Audit Process:
When projects receive multiple audits, vulnerabilities remaining in the project become more and more difficult to identify. As this was Linkerd’s third pentest, the audit team at 7ASecurity had their work cut out for them. This proves the value of regular cycles of penetration testing followed by developer fixes, over time the security posture increases substantially.
The scope of this engagement was the main project repository and the proxy APIs. They were reviewed by pentest and whitebox security audit methods.
Audit Results:
- 7 Findings with Security Impact
- 1 High
- 6 Hardening Recommendations
- 4 Proposals for Future Security Work
The Linkerd team was incredibly responsive and helpful during the engagement and quick to resolve the reported issues, with multiple fixes already deployed. The audit report makes note of the fact that the Linkerd project reflects hard work and dedication to security, both in the code and in their practices. The security recommendations for further work are very specific, meaning that a lot of basic and even intermediate security steps have already been satisfactorily undertaken by the team. This audit reflects well on the Graduated status of this project through the CNCF Graduation Program.
Thank you to the individuals and groups that made this engagement possible:
Linkerd maintainers and community, especially: David McLaughlin, William Morgan, and the Linkerd team
7ASecurity: Abraham Aranguren, Daniel Ortiz, and Miroslav Štampar
The Cloud Native Computing Foundation
Read the 7ASecurity Blog here.
The Linkerd Blog is here.