Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container PushContext.mergeGateways methods and the sortConfigByCreationTime function within istio/pilot/pkg/model/push_context.go Impact An attacker that is able to create an Istio Gateway within a Kubernetes cluster gatewaysByNamespace[proxy.ConfigNamespace] } else { configs = ps.allGateways } Listing 1: istio/pilot/pkg/model/push_context.go Recommendation While this issue can likely be remediated by using per-namespace ingress

2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA compliance 52 engagement was a holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code foundation for a secure product, and it demonstrates that the Istio community has formulated a threat model that is used to assess which parts of Istio are particularly exposed. In this audit, Ada Logics confirmed

accesses to services. Deploy web application firewall to defend against DDoS, injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration

“src”: “Canada” : } getDetails(…): Req parameter /api?…&UPC=[…]&src=warehouse12&… Test execution sequence : : Problem • Test uses outcome of a previous API request • Context propagation rarely

Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting #IstioCon 2021: Year of Istio

the viable solutions to communicate between Legacy VNFs and new CNFs ● Need a stricter security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret

● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint