7ASecurity is proud to share the results of a recent security audit of Linkerd. Linkerd is an open source service mesh for Kubernetes which prioritizes reliability, security, and simplicity. Thanks to the help of the Open Source Technology Improvement Fund (OSTIF) and the Cloud Native Computing Foundation, this project can continue to provide a lightweight and security-focused service mesh for users.
Audit Process:
When projects receive multiple audits, vulnerabilities remaining in the project become more and more difficult to identify. As this was Linkerd’s third pentest, the audit team at 7ASecurity had their work cut out for them. This proves the value of regular cycles of penetration testing followed by developer fixes, over time the security posture increases substantially.
The scope of this engagement was the main project repository and the proxy APIs. They were reviewed by pentest and whitebox security audit methods.
Audit Results:
- 7 Findings with Security Impact
- 1 High
- 6 Hardening Recommendations
- 4 Proposals for Future Security Work
The Linkerd team was incredibly responsive and helpful during the engagement and quick to resolve the reported issues, with multiple fixes already deployed. The audit report makes note of the fact that the Linkerd project reflects hard work and dedication to security, both in the code and in their practices. The security recommendations for further work are very specific, meaning that a lot of basic and even intermediate security steps have already been satisfactorily undertaken by the team. This audit reflects well on the Graduated status of this project through the CNCF Graduation Program.
Thank you to the individuals and groups that made this engagement possible:
Linkerd maintainers and community, especially: David McLaughlin, William Morgan, and the Linkerd team
The Open Source Technology Improvement Fund (OSTIF)
The Cloud Native Computing Foundation (CNCF), for sponsoring this project.
You can read the Cloud Native Computing Foundation (CNCF) Blog HERE
You can read the Audit Report HERE
You can read OSTIF’s Blog HERE
You can read the Linkerd Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact amir@ostif.org.
