[Image](/uploads/documents/7/9/8/4/798486b9f79b00da59cc67d5376f87ea/p1_1.jpg) PRESENTS ## V itess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux of contents Table of contents 1 Executive summary 2 Notable findings 3 Project Summary 4 Audit Scope 4 Threat model formalisation 5 Fuzzing 14 Issues found 16 SLSA review 38 Conclusions Ada Logics carried out a security audit of Vitess. The primary focus of the audit was a new component of Vitess, VTAdmin. The goal was to conduct a holistic security audit which includes multiple disciplines

## Mix Assertion, Logging, Unit Testing and Fuzzing with ZeroErr Build Safer Modern C++ Application Speaker: Xiaofan Sun Date: Sep 19, 2024 ## Self-Introduction • Got my Ph.D. from UC, Riverside last std::unique_ptr Class from third-party library: llvm::Value* ## Logging the Data // LOG(INFO) << Data; // ASSERT(a > b, "A > B is not true", a, b); std::ostream& operator<<(std::ostream& out, llvm::Value* data); ## Logging the Data • Namespace pollution • Hard to implement with template • No extensibility • No customization

## TiDB Audit Plugin User Guide August 4, 2022 ## I ntroduction The TiDB audit plugin records the TiDB server’s activities that are expected to follow auditing regulations of your organization. For each how to compile, package, and use the audit plugin. ## Download the plugin You can download the plugin on TiDB Enterprise Edition Downloads. ## Deploy the audit plugin After downloading the plugin, to deploy the audit plugin. ## Use TiDB Operator to deploy the plugin ## Configure TidbCluster CR tidb: additionalContainers: - command: - sh --C - touch /var/log/tidb/tidb-audit.log; tail -n0

out by Cure53 in summer 2020, the project entailed comprehensive penetration test and source code audit of the Dapr scope. In terms of resources, the project was assigned to four members of the Cure53 work packages (WPs) were outlined. In WP1, Cure53 performed both a broad and thorough source code audit of the latest version of Dapr. The focus was explicitly placed on the Dapr main repository and the as they were emerging. The communications were very helpful and productive, assisting the test and audit in moving forward swiftly. Given good choices and practices regarding methodology, setup and communications

previous code audit (Low) DAP-02-013 WP2: Access policy bypass due to missing URL normalization (High) Miscellaneous Issues DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In addition to shedding light on the state of security on some new features security mistakes. In effect, three work packages (WPs) were delineated: • WP1: Thorough source code audit of the latest Dapr version • WP2: Penetration tests targeting the Dapr integration and setup • WP3:

PRESENTS ## Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation  ## Authors 0) ## CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts carried out by CNCF in this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing audit was to build the fundamental infrastructure and improve the fuzzing efforts in a continuous manner

PRESENTS ## Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation ![Image](/uploads/documents/8/b/6/c/8b6c2bce2620cb9804a517e0daeae7c4/p1_2 Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 ## Executive summary In May and June 2023, Ada Logics carried out a security audit for the holistic audit drawing on several different security disciplines. The audit was split into the following goals: 1. Formalise a threat model of the code assets in scope. 2. Do a manual code audit of the

Build a lightweight logging and tracing tool with Apache Arrow, Parquet and DataFusion 朱霜 2023.06.18 6.17-6.18 @Shanghai ## Content 1. Introduction 2. Duo - Observability duet: Logging and Tracing • What Public Observability duet: Logging and Tracing Rust ☆26 ♀2 ### Duo - Observability duet: Logging and Tracing https://github.com/duo-rs/duo ## duo-rs/duo Observability duet: Logging and Tracing ![Image] /p4_1.jpg)  ## Logging and Tracing Stack LOGBACK glog ![Image](/uploads/documents/5/a/9/c/5a9c811da5ae6e775136bfe193ee771d/p5_2

Shutdown 1.64 Libaio Native Libraries 1.65 Thread management 1.66 Embedded Web Server 1.67 Logging 1.68 REST Interface 1.69 Embedding the Broker 1.70 Apache Karaf 1.71 Apache Tomcat 1.72 Spring Support disabling metrics per address via the enable-metrics address setting • Improvements to the audit logging - Speed optimizations for the HierarchicalObjectRepository, an internal object used to store 0 added new audit logging which is logged at INFO level and can be very verbose. The logging.properties shipped with this new version is set up to filter this out by default. If your logging.properties

PRESENTS ## I stio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ![Image](/uploads/documents/3/4/7/6/34761bcadb75 findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA compliance 52 ## Executive out a security audit of the Istio project. The audit was sponsored by the CNCF and facilitated by OSTIF as a step towards graduation for Istio. The engagement was a holistic security audit that had several