The Open Source Technology Improvement Fund (OSTIF) is proud to share the results of our security audit of Linkerd. Linkerd is an open source service mesh for Kubernetes which prioritizes reliability, security, and simplicity. Thanks to the help of 7ASecurity and the Cloud Native Computing Foundation, this project can continue to provide lightweight, secure service mesh for users.
Audit Process:
When projects receive multiple audits, vulnerabilities remaining in the project become more and more difficult to identify. As this was Linkerd’s third pentest, the audit team at 7ASecurity had their work cut out for them. This proves the value of regular cycles of penetration testing followed by developer fixes, over time the security posture increases substantially.
The scope of this engagement was the main project repository and the proxy APIs. They were reviewed by pentest and whitebox security audit methods.
Audit Results:
- 7 Findings with Security Impact
- 1 High
- 6 Hardening Recommendations
- 4 Proposals for Future Security Work
The Linkerd team was incredibly responsive and helpful during the engagement and quick to resolve the reported issues, with multiple fixes already deployed. The audit report makes note of the fact that the Linkerd project reflects hard work and dedication to security, both in the code and in their practices. The security recommendations for further work are very specific, meaning that a lot of basic and even intermediate security steps have already been satisfactorily undertaken by the team. This audit reflects well on the Graduated status of this project through the CNCF Graduation Program.
Thank you to the individuals and groups that made this engagement possible:
- Linkerd maintainers and community, especially: David McLaughlin, William Morgan, and the Linkerd2 team
- 7ASecurity: Abraham Aranguren, Daniel Ortiz, and Miroslav Štampar
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read Linkerd’s Blog HERE
You can read 7ASecurity Blog HERE
You can read the CNCF’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].