The Open Source Technology Improvement Fund is proud to share the results of our security audit of ztunnel. ztunnel is the open source node proxy implementation of Istio’s ambient mesh mode. Moving forward from this collaboration between Istio, Trail of Bits, and the Cloud Native Computing Foundation, there is reasonable assurance validating that Istio’s ambient mode is a secure and high-performing alternative to the sidecar model.
Audit Process:
While the Istio main branch has undergone security audits previously (including one with OSTIF), this was a first engagement specifically for the ztunnel implementation. The security audit, which took place over two engineer-weeks in December of 2024, was undertaken by a team of two Trail of Bits consultants. Performing static and dynamic testing using automated and manual processes, audit work focused on the most critical code paths of ztunnel including L4 (transport layer) authorization, inbound request proxying, transport-layer security, and certificate management code. The audit report notes that the implementation is well-written and structured, and no critical or high findings with security impact were uncovered by this audit.
Audit Results:
- 3 Findings Reported
- 1 Medium Severity
- 2 Informational
- 4 Recommendations for CI/CD posture improvements
The team at Istio responded quickly and proactively to the reported issues, and all 3 issues have been resolved. Istio is a Graduated project through the CNCF, and their attention to detail and involvement in this audit as well as their documented following of recommended security practices in ztunnel reflects well on that status.
Thank you to the individuals and groups that made this engagement possible:
- Istio maintainers and community, especially: Craig Box, John Howard, Daniel Hawton, and Jackie Maertens
- Trail of Bits: Keith Hoodlet, Vasco Franco, Sam Alws, and Jeff Braswell
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read Istio’s blog HERE
The Audit Report is also available to view on Trail of Bit’s Github HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].