文档记录了Cure53对Dapr进行的安全审计，总共发现了12个安全相关问题，其中包括8个漏洞和4个一般性弱点。一个问题被评为高度严重，已被修复。其他高严重性问题也已报告并修复。报告强调了Dapr在安全性上的良好基础，但仍有改进空间，特别是在配置和默认设置方面。文档还提出了安全加固建议，包括网络策略、零信任概念和RBAC，推荐使用Calico等工具提升安全性。

The Dapr security audit report from February 2021 details the findings of a penetration test and source code audit conducted by Cure53. The assessment focused on retesting issues identified in June 2020 and evaluating new features added since summer 2020, such as app-api tokens, access control, and secrets storage. High-risk issues from the previous audit were addressed, leaving only lower-severity vulnerabilities. A new high-risk issue related to access control bypass due to URL normalization was discovered and subsequently fixed. The report highlights that Dapr's security has improved significantly, with the project adopting a more secure-by-default approach. However, areas such as URL normalization and token usage across multiple applications still require attention.

本文档详细阐述了CNCF委托Ada Logics对Dapr项目进行的fuzzing审计报告。Dapr在此次审计中首次将fuzzing技术整合到其三个子项目（Dapr Runtime、Dapr Kit和Components-Contrib）中，通过OSS-Fuzz持续集成开发了39个fuzzer。这些fuzzer发现了3个问题，其中2个问题源于第三方库依赖，所有问题已修复。CNCF持续通过fuzzing和安全审计提升其生态系统的安全性，并计划进一步扩展fuzzing覆盖范围，以发现更多漏洞，尤其是在内存安全语言中。

文档探讨了OAM（开放应用模型）、Dapr（分布式应用运行时）和Rudr在构建云原生应用中的未来作用。OAM提供了一个平台无关的应用模型，允许开发者专注于业务价值而非容器基础设施，同时支持多云和边缘环境。Dapr作为一个可移植的事件驱动运行时，简化了分布式应用的构建，适用于多种环境。Rudr在Kubernetes上实现了OAM，结合Kubernetes资源和Helm charts，帮助应用开发者和操作者分离关注点，实现了云原生应用的高效构建和运维。

The Dapr September 2023 security audit report identifies 7 security issues, with 6 resolved and 1 remaining unresolved. The audit includes a threat model analysis, fuzzing tests, and supply-chain mitigation recommendations. Five fuzzers were added to enhance security testing. A CVE (CVE-2023-37475) was assigned for a vulnerability in a third-party library. The report emphasizes the risks of archived or deprecated dependencies and suggests implementing Scorecard for long-term dependency security evaluation.

文档阐述了Open Application Model (OAM)与Dapr在云原生应用中的未来角色。OAM简化了云原生应用的定义与部署，允许开发人员专注于业务价值而非底层容器配置。Dapr提供了分布式应用运行时，支持事件驱动、无状态组件及其它现代应用模式。文档还提到了OAM与Kubernetes的集成，通过自定义资源定义（CRD）结合高级应用建模及熟悉的Kubernetes概念。OAM支持多云、边缘计算与本地环境，并通过运算符（如ROS-OAM）提供一致的应用模型与可移植性。文档还展示了如何通过GitHub Actions和Azure DevOps实现持续集成与运维。