The Cloud Native Computing Foundation (CNCF) has begun a process of performing third-party security audits for its projects, with the first completed audit coming from the Envoy proxy project.
The Envoy proxy project was created by ride-sharing company Lyft and officially joined the CNCF in September 2017. Envoy is a service mesh reverse proxy technology that is used to help scale micro-services data traffic.
“What’s interesting is that Envoy previously had private security audits done, but the purpose of this audit was to do one in a public fashion and post the results for the community to digest, as there should be nothing to hide from such a high quality project like Envoy,” Chris Aniszczyk, COO of the CNCF told eWEEK. “You have to remember that Envoy is used by some of the highest traffic companies in the world, from Apple to Google to Lyft to Microsoft to Netflix to Tencent and more.”
Aniszczyk commented that the CNCF already knew Envoy was a high quality piece of software with a vibrant community and the report validated that assertion. The security audit was conducted by Germany cyber-security firm Cure53 and found eight different security issues in the Envoy code base. The report notes that four of the identified issues were general weaknesses, while four were non-critical vulnerabilities.
“It is vital to emphasize that no issue were marked as ‘Critical’ in terms of security impact, severity or scope,” the report states. “This absence of high-risk problems is a very good indicator of the broader state of security matters at the Envoy compound.”
The highest impact issue found by the auditors was identified as the lack of security for an administrative interface, which could have potentially enabled Cross-Site Request Forgery (CSRF) or Denial of Service attacks. Envoy project lead Matt Klein explained that there had been no assumption of security when using the administration server.
“The expectation has been that users would properly firewall access and/or only bind the administration server such that it is available on localhost,” Klein told eWEEK. “The security auditors rightly pointed out that insecure access to the administration server is extremely problematic.”
Klein said that following the audit, the Envoy project added explicit documentation warning users about the expectations around locking down access to the administration server via a proper firewall setup. Longer term, he said that project developers are tracking various work items that will allow users to configure more robust administration server security within Envoy itself.
“The audit continues to hammer home the fact that security is absolutely critical for users of Envoy,” Klein said. “If the project is going to be used by the largest Internet properties on the edge and within trusted networks, it has to adhere to the highest levels of security best practices.”
The Envoy project iterates approximately every three months with the 1.6.0 update released on March 20. Klein noted that there were no “big bang” features, added in the 1.6 cycle, however, the changes made indicate the breadth of use cases for Envoy, as well as, the ever increasing level of community support.
“Envoy is now seeing widespread adoption and deployment and the large number of features and fixes that went into this release demonstrate that,” Klein said.
Security was also part of the Envoy 1.6.0 development cycle. Klein said Envoy project contributors developed a critical vulnerability reporting and fix release process. He also noted that Google has added Envoy to their bug bounty program as software critical for cloud computing.
“As a project, we look forward to increased scrutiny from the security community, which is the best way to find issues and mitigate them as quickly as possible,” he said.
Audit Lessons Learned
The Envoy project was the first CNCF project to go through a security audit but it won’t be the last. Aniszczyk said that the CNCF is piloting the security audit program with a couple of CNCF projects and plans to continue to conduct security audits when it makes sense for its projects.
“The main lesson is that a public security audit is a great way to test the quality of an open source project and more importantly, how receptive the open source project’s security practices are,” Aniszczyk said. “At CNCF, we require all our projects to go through the Core Infrastructure Initiative (CII) Best Practices Badge program, which mandates project have good security practices.”
CNCF is home to a growing list of cloud projects, including the Kubernetes container orchestration platform. Aniszczyk said that the next project that will be releasing the results of its security audit is CoreDNS, which will be a default in future versions of Kubernetes.
“Kubernetes is definitely in the list of projects in queue, but the thought process was to start with a couple of smaller projects first to see how it would work and gather feedback from the CNCF community on whether the pilot was useful,” Aniszczyk said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.