Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de Pentest-Report Dapr 06.2020 Cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. R. Peraglie, J. Larsson Index Introduction cluster takeover (Critical) DAP-01-006 WP2: Cross-Site Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 WP2: Invocation Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 WP2: Missing authentication from Dapr API to application (Medium) Miscellaneous Issues DAP-01-001 WP1: Sidecar allows MDNS probes to docker

Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de Pentest- & Retest-Report Dapr 02.2021 Cure53, Dr.-Ing. M. Heiderich, Dipl.-Inf. G. Kopf & other Team Members Index I ntroduction DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions Introduction “Dapr is a portable, event-driven runtime that makes it easy for developers to build resilient, microservice From https://dapr.io/#about This report continues a security-driven cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In

PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th summary In this engagement, Ada Logics worked on creating a fuzzing suite for Dapr. At the time of this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing efforts in a continuous manner. Ada Logics did that by first integrating Dapr into OSS-Fuzz and add fuzzers for important APIʼs of the Dapr eco system. At the end of the audit, all fuzzers are running continuously

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 6th September 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete

Microsoft Ignite OAM, dapr, and rudr The future of cloud native applications Mark Russinovich @markrussinovich Open Application Model dapr: Distributed Application Platform Building Cloud Scale, developers write their application to interact with other services and data stores Programming Models dapr: Distributed Application Runtime Building blocks for building scalable distributed apps Open Application don’t have composable and incrementally adoptable equivalents that can run anywhere Introducing Dapr A portable, event-driven, serverless runtime for building distributed applications across cloud

The Future of Cloud Native Applications with Open Application Model (OAM) and Dapr @markrussinovich Application models Describes the topology of your application and its components The way developers interact with other services and data stores Programming models Distributed Application Runtime (Dapr) Open Application Model (OAM) https://oam.dev State of Cloud Native Application Platforms Prometheus Operator ROS (Alibaba Cloud Resources) Stateless Component Kubernetes Cluster https://dapr.io State of Enterprise Developers What is holding back micro-service development? Hard to incrementally