Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup -43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently

/ 51 Confidential—Restricted Nov 10, 2022 Ozone User Group Summit / 51 2 Confidential—Restricted / 51 THE HYBRID DATA COMPANY We believe that data can make what is impossible today, possible tomorrow anywhere” data analytics portability DATA ENG DATA WH AI/ML OP DB DATA FLOW Unified security & governance with open cloud-native storage formats Open data fabrics, lakehouses and data control policy, lineage and governance Support HDFS and S3 API based applications Application Security Encryption Is the data protected at rest and in-transit? / 51 7 Confidential—Restricted Apache

” From https://dapr.io/#about This report describes the results of a large-scale and thorough security assessment targeting the Microsoft Distributed Application Runtime (Dapr) software complex1 substantial research and acquired a very good coverage over the scope. Cure53 managed to identify twelve security-relevant issues affecting the Dapr complex. Eight problems represent vulnerabilities and four section on Orchestration Hardening was included, detailing some general approaches to improving the security of a Dapr installation. Finally, the report will close with broader conclusions about this 2020

diversity of languages and developer frameworks.” From https://dapr.io/#about This report continues a security-driven cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and and source code audit against the Dapr software. In addition to shedding light on the state of security on some new features of Dapr, the report also highlights what has been done in terms of fixing the issues follow-up to the project reported as DAP-01, which was a large-scale and comprehensive security examination. Back in June 2020, the budget of twenty days was invested. Comparatively, a smaller

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: 6th September 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary 3 Audit found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Rd., Ste. 460 Herndon, VA 20171 corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Specification Name Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140AA] FIPS 140-2 Annex A: Approved Security Functions 6/10/2019 [140AC] FIPS 140-2 Annex

Kailun Qin, Ant Group Putting an Invisible Shield on Kubernetes Secrets Agenda • K8s Secrets: Overview • TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory

Performing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.4 The vboxusers Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.3.5 Starting Oracle VM VirtualBox on Performing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.4.2 The vboxuser Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.4.3 Starting Oracle VM VirtualBox 292 9.31.1 Setting up USB/IP Support on a Linux System . . . . . . . . . . . . . . 292 9.31.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 9.32 Using Hyper-V with

Performing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.3.4 The vboxusers Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.3.5 Starting Oracle VM VirtualBox on Performing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.4.2 The vboxuser Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.4.3 Starting Oracle VM VirtualBox 297 9.31.1 Setting up USB/IP Support on a Linux System . . . . . . . . . . . . . . 297 9.31.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 9.32 Using Hyper-V with