文档详细描述了Cure53团队在2020年夏季对微软分布式应用运行时（Dapr）进行的安全评估。该评估包括全面的代码审计和渗透测试，重点检查了Dapr的主要仓库和相关功能。测试团队发现了12个安全相关问题，其中1个被标记为关键风险，涉及集群接管的潜在漏洞。报告还提出了多项修复建议，包括配置RBAC、保护秘密管理以及优化默认配置。文档强调了Dapr在安全性方面的优势，同时也指出了改进空间，建议进一步完善文档和配置指南，以提升整体安全性。

This report details the findings of a security audit and penetration test conducted by Cure53 on the Dapr project in February 2021. The audit focused on retesting vulnerabilities identified in a previous assessment and evaluating new features introduced since June 2020. Key findings include the successful mitigation of major high-risk issues, though some lower-severity vulnerabilities remain unresolved. The report highlights improvements in system security, the importance of secure-by-default design, and specific vulnerabilities such as HTTP Parameter Pollution and access policy bypass. Overall, Dapr demonstrates positive progress in addressing security concerns.

This report details a fuzzing audit conducted by Ada Logics for the Dapr project under the CNCF. The audit involved creating a fuzzing suite for Dapr, integrating it with OSS-Fuzz, and developing 39 fuzzers to test three sub-projects: Dapr Runtime, Dapr Kit, and Components-Contrib. The fuzzers identified three issues, including two related to third-party libraries, all of which were resolved. The report highlights the importance of continuous fuzzing for ensuring software security and outlines future plans to expand fuzzing coverage and improve project maintainability.

The document explores the future of cloud-native applications through three key technologies: Open Application Model (OAM), Dapr, and Rudr. OAM focuses on defining a platform-agnostic application model, enabling developers to build and operate applications across various environments. Dapr, a distributed application runtime, provides a portable, event-driven framework for building microservices across cloud and edge infrastructures. Rudr extends OAM by enabling the deployment of cloud-native applications on Kubernetes clusters. The document highlights the integration of these technologies, emphasizing their ability to simplify application development, manage state, and handle distributed systems challenges. It also discusses the sidecar architecture and component management in Dapr, as well as the portability and scalability benefits of these solutions.

2023年5月和6月，Ada Logics对Dapr项目进行了全面安全审计。审计发现了7个安全问题，其中6个已修复。审计还引入了五个新的fuzzer到Dapr的OSS-Fuzz套件中，并针对供应链安全提出了建议。Dapr的依赖树显示出较大的供应链风险，涉及多个第三方依赖项。审计结果表明Dapr遵循了良好的安全实践，但供应链安全仍需改进。

文档介绍了微软推出的两个新规范：Open Application Model (OAM) 和 Dapr，旨在简化在 Kubernetes、边缘计算和云环境中构建应用程序的过程。OAM 是一个平台无关的应用模型规范，帮助开发者专注于业务逻辑，而 Dapr 则是一个便携式事件驱动运行时，用于构建分布式应用程序。文档强调了这两个规范如何通过标准化和模块化的方式提升微服务架构的开发效率，并展示了它们在 Kubernetes 上的应用场景。