|
| 1 | +--- |
| 2 | +date: 2025-02-18T00:00:00Z |
| 3 | +title: |- |
| 4 | + Linkerd 2024 Security Audit |
| 5 | +description: |- |
| 6 | + We're happy to announce the results of Linkerd's 2024 security audit, |
| 7 | + courtesy of 7ASecurity, the Open Source Technology Improvement Fund (OSTIF), |
| 8 | + and the Cloud Native Computing Foundation (CNCF). |
| 9 | +keywords: [linkerd, security] |
| 10 | +params: |
| 11 | + author: william |
| 12 | + showCover: true |
| 13 | +--- |
| 14 | + |
| 15 | +Today we're happy to report that Linkerd has successfully completed its 2024 |
| 16 | +security audit. This audit, initiated at the tail end of last year and concluded |
| 17 | +early this year, was performed by [7ASecurity](https://7asecurity.com/), managed |
| 18 | +by the [Open Source Technology Improvement Fund](https://ostif.org/), and funded |
| 19 | +by the [Cloud Native Computing Foundation](https://cncf.io/). As part of |
| 20 | +Linkerd's commitment to openness, transparency, and security by design, we've |
| 21 | +published the unredacted report in the [Linkerd GitHub |
| 22 | +page](https://github.com/linkerd/linkerd2/tree/main/audits). |
| 23 | + |
| 24 | +This was the third such public audit that Linkerd has undergone, and included |
| 25 | +both pen testing and whitebox testing. We were happy to collaborate with the |
| 26 | +7ASecurity team and OSTIF in the performance of this audit, and particularly |
| 27 | +happy with this excerpt from the report: |
| 28 | + |
| 29 | +> The Linkerd team was incredibly responsive and helpful during the engagement |
| 30 | +> and quick to resolve the reported issues, with multiple fixes already |
| 31 | +> deployed. The audit report makes note of the fact that the Linkerd project |
| 32 | +> reflects hard work and dedication to security, both in the code and in their |
| 33 | +> practices. The security recommendations for further work are very specific, |
| 34 | +> meaning that a lot of basic and even intermediate security steps have already |
| 35 | +> been satisfactorily undertaken by the team. This audit reflects well on the |
| 36 | +> Graduated status of this project through the CNCF Graduation Program. |
| 37 | +
|
| 38 | +As we said in our [2022 audit blog |
| 39 | +post](/2022/06/27/announcing-the-completion-of-linkerds-2022-security-audit/), |
| 40 | +no software is perfect, even Linkerd, and every architectural decision |
| 41 | +necessarily involves tradeoffs. The point of a security audit is not to produce |
| 42 | +a report card but to find the weak points and provide opportunities to address |
| 43 | +them before they become user-facing vulnerabilities. |
| 44 | + |
| 45 | +As usual, the audit flagged an assortment of issues of varying severity, and we |
| 46 | +worked closely with the 7ASecurity team to either address them or classify them |
| 47 | +as low user risk. For example, the most severe finding identified an unused |
| 48 | +development-time script used to generate protobuf bindings, which in some cases |
| 49 | +would output instructions to the developer to download a resource from a |
| 50 | +plaintext HTTP URL. This script was not part of the modern development process |
| 51 | +and we [removed it from the |
| 52 | +repo](https://github.com/linkerd/linkerd2/pull/13459). You can read the complete |
| 53 | +[OSTIF blog post](https://ostif.org/linkerd-audit-complete/) for more. |
| 54 | + |
| 55 | +Regular third-party audits are just one part of Linkerd’s comprehensive focus on |
| 56 | +world-class security, which includes code review for all changes, a formal |
| 57 | +security policy, a vast series of automated checks (including static analysis, |
| 58 | +dependency analysis, and fuzz testing) and much more. Linkerd is trusted by |
| 59 | +users around the world not just to be secure but to increase the security of |
| 60 | +their systems. We hold that trust sacred, and strive our best to live up to it |
| 61 | +with every line of code. |
| 62 | + |
| 63 | +## Linkerd is for everyone |
| 64 | + |
| 65 | +Linkerd is a graduated project of the |
| 66 | +[Cloud Native Computing Foundation](https://cncf.io/). Linkerd is |
| 67 | +[committed to open governance.](/2019/10/03/linkerds-commitment-to-open-governance/) |
| 68 | +If you have feature requests, questions, or comments, we'd love to have you join |
| 69 | +our rapidly-growing community! Linkerd is hosted on |
| 70 | +[GitHub](https://github.com/linkerd/), and we have a thriving community on |
| 71 | +[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and |
| 72 | +in [mailing lists](/community/get-involved/). Come and join the fun! |
| 73 | + |
| 74 | +(*Photo by [Caspar |
| 75 | +Rae](https://unsplash.com/@raecaspar?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash) |
| 76 | +on [Unsplash](https://unsplash.com/photos/man-in-yellow-jacket-standing-beside-white-car--MBPgdHD_SA?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash").*) |
0 commit comments