Envoy CNCF Project Completes Security Audit, Delivers New Release

Envoy Project

The Cloud Native Computing Foundation (CNCF) has begun a process of performing third-party security audits for its projects, with the first completed audit coming from the Envoy proxy project.

The Envoy proxy project was created by ride-sharing company Lyft and officially joined the CNCF in September 2017. Envoy is a service mesh reverse proxy technology that is used to help scale micro-services data traffic.

“What’s interesting is that Envoy previously had private security audits done, but the purpose of this audit was to do one in a public fashion and post the results for the community to digest, as there should be nothing to hide from such a high quality project like Envoy,” Chris Aniszczyk, COO of the CNCF told eWEEK. “You have to remember that Envoy is used by some of the highest traffic companies in the world, from Apple to Google to Lyft to Microsoft to Netflix to Tencent and more.”

Further reading

Aniszczyk commented that the CNCF already knew Envoy was a high quality piece of software with a vibrant community and the report validated that assertion. The security audit was conducted by Germany cyber-security firm Cure53 and found eight different security issues in the Envoy code base. The report notes that four of the identified issues were general weaknesses, while four were non-critical vulnerabilities.

“It is vital to emphasize that no issue were marked as ‘Critical’ in terms of security impact, severity or scope,” the report states. “This absence of high-risk problems is a very good indicator of the broader state of security matters at the Envoy compound.”

The highest impact issue found by the auditors was identified as the lack of security for an administrative interface, which could have potentially enabled Cross-Site Request Forgery (CSRF) or Denial of Service attacks. Envoy project lead Matt Klein explained that there had been no assumption of security when using the administration server. 

“The expectation has been that users would properly firewall access and/or only bind the administration server such that it is available on localhost,” Klein told eWEEK. “The security auditors rightly pointed out that insecure access to the administration server is extremely problematic.”

Klein said that following the audit, the Envoy project  added explicit documentation warning users about the expectations around locking down access to the administration server via a proper firewall setup. Longer term, he said that project developers are tracking various work items that will allow users to configure more robust administration server security within Envoy itself.

“The audit continues to hammer home the fact that security is absolutely critical for users of Envoy,” Klein said. “If the project is going to be used by the largest Internet properties on the edge and within trusted networks, it has to adhere to the highest levels of security best practices.”

Envoy 1.6.0

The Envoy project iterates approximately every three months with the 1.6.0 update released on March 20. Klein noted that there were no “big bang” features, added in the 1.6 cycle, however, the changes made indicate the breadth of use cases for Envoy, as well as, the ever increasing level of community support.

“Envoy is now seeing widespread adoption and deployment and the large number of features and fixes that went into this release demonstrate that,” Klein said. 

Security was also part of the Envoy 1.6.0 development cycle. Klein said Envoy project contributors developed a critical vulnerability reporting and fix release process. He also noted that Google has added Envoy to their bug bounty program as software critical for cloud computing. 

“As a project, we look forward to increased scrutiny from the security community, which is the best way to find issues and mitigate them as quickly as possible,” he said.

Audit Lessons Learned

The Envoy project was the first CNCF project to go through a security audit but it won’t be the last. Aniszczyk said that the CNCF is piloting the security audit program with a couple of CNCF projects and plans to continue to conduct security audits when it makes sense for its projects.

“The main lesson is that a public security audit is a great way to test the quality of an open source project and more importantly, how receptive the open source project’s security practices are,” Aniszczyk  said. “At CNCF, we require all our projects to go through the Core Infrastructure Initiative (CII) Best Practices Badge program, which mandates project have good security practices.”

CNCF is home to a growing list of cloud projects, including the Kubernetes container orchestration platform. Aniszczyk said that the next project that will be releasing the results of its security audit is CoreDNS, which will be a default in future versions of Kubernetes.

“Kubernetes is definitely in the list of projects in queue, but the thought process was to start with a couple of smaller projects first to see how it would work and gather feedback from the CNCF community on whether the pilot was useful,” Aniszczyk said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Google News Initiative Funding

Google will spend $300 million over the next three years on various initiatives to help news organizations sustain business growth and drive quality journalism. 

Under a new Google News Initiative (GNI) announced March 20, the company will also work on empowering news organizations through technological innovation such as machine learning and natural language processing tools. 

Philipp Schindler Google’s chief business officer described GNI as deepening Google’s commitment to helping the news industry cope with challenges to their business models from digital transformation. 

Further reading

While the demand for quality journalism remains high, the manner in which journalism is created, consumed and paid for have changed dramatically with the industry-wide transition to digital, he wrote in the blog announcing the initiative. 

“Business models for journalism continue to change drastically,” he said. “The rapid evolution of technology is challenging all institutions, including the news industry—to keep pace.” 

Even the most respected news organizations in the U.S. including the New York Times, Wall Street Journal and Washington Post as well as major network television news groups have struggled to make profits in the Internet era, which gave rise to enormous competition for advertising revenue. 

One major focus for GNI will be on combating the spread of online misinformation especially during breaking news situations. On the technology front, Google is working on tools that will be capable of better separating content from authoritative sources with that from purveyors of misinformation and inaccurate content. The company is taking a similar approach to content on YouTube and has begun to highlight content from verified sources in a separate ‘Top News’ shelf. 

In addition, Google will work directly with newsrooms to identify and combat misinformation, Schindler said. The company has launched a new Disinfo Lab that will work with Harvard University’s First Draft project to combat fake and inaccurate news during elections and major news events.  

Google is also partnering with Stanford University, the Poynter Institute and the Local Media Association in a campaign dubbed MediaWise to improve digital information literacy among youth. 

Google, Facebook and Twitter have come under considerable scrutiny in recent months for allowing their platforms to be used to spread false news stories and political propaganda during the 2016 general elections. Many believe such stories played a significant role in influencing the outcome of the elections. 

As part of its effort to help news organizations sustain and grow their businesses Google has launched a new Subscribe with Google service that makes it much simpler for users to subscribe to digital news content of their choice.  

With it, consumers will be able to use the information in their Google accounts—including credit and debit card data—to subscribe to and pay for publications with a single click. The publisher’s products will then be accessible via the publisher’s site, mobile app and even Google Search. 

Google is also testing a prototype of a ‘Propensity to Subscribe’ technology that will let publishers identify and target potential subscribers better. 

As part of the GNI initiative, Google is working on tools that can help improve newsroom efficiency and enable richer storytelling experiences, Schindler said. As one example he pointed to how Hearst Newspapers is currently using a Google natural language processing API to sort, label and categorize some 3,000 articles daily. 

Another example is a new open-source virtual private network called Outline developed by Jigsaw as part of Google parent Alphabet’s technology incubator. Outline will give journalists a more secure way to access Internet content by making it easier for them to set up their own VPN. 

Google News Initiative Funding

Google will spend $300 million over the next three years on various initiatives to help news organizations sustain business growth and drive quality journalism. 

Under a new Google News Initiative (GNI) announced March 20, the company will also work on empowering news organizations through technological innovation such as machine learning and natural language processing tools. 

Philipp Schindler Google’s chief business officer described GNI as deepening Google’s commitment to helping the news industry cope with challenges to their business models from digital transformation. 

Further reading

While the demand for quality journalism remains high, the manner in which journalism is created, consumed and paid for have changed dramatically with the industry-wide transition to digital, he wrote in the blog announcing the initiative. 

“Business models for journalism continue to change drastically,” he said. “The rapid evolution of technology is challenging all institutions, including the news industry—to keep pace.” 

Even the most respected news organizations in the U.S. including the New York Times, Wall Street Journal and Washington Post as well as major network television news groups have struggled to make profits in the Internet era, which gave rise to enormous competition for advertising revenue. 

One major focus for GNI will be on combating the spread of online misinformation especially during breaking news situations. On the technology front, Google is working on tools that will be capable of better separating content from authoritative sources with that from purveyors of misinformation and inaccurate content. The company is taking a similar approach to content on YouTube and has begun to highlight content from verified sources in a separate ‘Top News’ shelf. 

In addition, Google will work directly with newsrooms to identify and combat misinformation, Schindler said. The company has launched a new Disinfo Lab that will work with Harvard University’s First Draft project to combat fake and inaccurate news during elections and major news events.  

Google is also partnering with Stanford University, the Poynter Institute and the Local Media Association in a campaign dubbed MediaWise to improve digital information literacy among youth. 

Google, Facebook and Twitter have come under considerable scrutiny in recent months for allowing their platforms to be used to spread false news stories and political propaganda during the 2016 general elections. Many believe such stories played a significant role in influencing the outcome of the elections. 

As part of its effort to help news organizations sustain and grow their businesses Google has launched a new Subscribe with Google service that makes it much simpler for users to subscribe to digital news content of their choice.  

With it, consumers will be able to use the information in their Google accounts—including credit and debit card data—to subscribe to and pay for publications with a single click. The publisher’s products will then be accessible via the publisher’s site, mobile app and even Google Search. 

Google is also testing a prototype of a ‘Propensity to Subscribe’ technology that will let publishers identify and target potential subscribers better. 

As part of the GNI initiative, Google is working on tools that can help improve newsroom efficiency and enable richer storytelling experiences, Schindler said. As one example he pointed to how Hearst Newspapers is currently using a Google natural language processing API to sort, label and categorize some 3,000 articles daily. 

Another example is a new open-source virtual private network called Outline developed by Jigsaw as part of Google parent Alphabet’s technology incubator. Outline will give journalists a more secure way to access Internet content by making it easier for them to set up their own VPN. 

Google News Initiative Funding

Google will spend $300 million over the next three years on various initiatives to help news organizations sustain business growth and drive quality journalism. 

Under a new Google News Initiative (GNI) announced March 20, the company will also work on empowering news organizations through technological innovation such as machine learning and natural language processing tools. 

Philipp Schindler Google’s chief business officer described GNI as deepening Google’s commitment to helping the news industry cope with challenges to their business models from digital transformation. 

Further reading

While the demand for quality journalism remains high, the manner in which journalism is created, consumed and paid for have changed dramatically with the industry-wide transition to digital, he wrote in the blog announcing the initiative. 

“Business models for journalism continue to change drastically,” he said. “The rapid evolution of technology is challenging all institutions, including the news industry—to keep pace.” 

Even the most respected news organizations in the U.S. including the New York Times, Wall Street Journal and Washington Post as well as major network television news groups have struggled to make profits in the Internet era, which gave rise to enormous competition for advertising revenue. 

One major focus for GNI will be on combating the spread of online misinformation especially during breaking news situations. On the technology front, Google is working on tools that will be capable of better separating content from authoritative sources with that from purveyors of misinformation and inaccurate content. The company is taking a similar approach to content on YouTube and has begun to highlight content from verified sources in a separate ‘Top News’ shelf. 

In addition, Google will work directly with newsrooms to identify and combat misinformation, Schindler said. The company has launched a new Disinfo Lab that will work with Harvard University’s First Draft project to combat fake and inaccurate news during elections and major news events.  

Google is also partnering with Stanford University, the Poynter Institute and the Local Media Association in a campaign dubbed MediaWise to improve digital information literacy among youth. 

Google, Facebook and Twitter have come under considerable scrutiny in recent months for allowing their platforms to be used to spread false news stories and political propaganda during the 2016 general elections. Many believe such stories played a significant role in influencing the outcome of the elections. 

As part of its effort to help news organizations sustain and grow their businesses Google has launched a new Subscribe with Google service that makes it much simpler for users to subscribe to digital news content of their choice.  

With it, consumers will be able to use the information in their Google accounts—including credit and debit card data—to subscribe to and pay for publications with a single click. The publisher’s products will then be accessible via the publisher’s site, mobile app and even Google Search. 

Google is also testing a prototype of a ‘Propensity to Subscribe’ technology that will let publishers identify and target potential subscribers better. 

As part of the GNI initiative, Google is working on tools that can help improve newsroom efficiency and enable richer storytelling experiences, Schindler said. As one example he pointed to how Hearst Newspapers is currently using a Google natural language processing API to sort, label and categorize some 3,000 articles daily. 

Another example is a new open-source virtual private network called Outline developed by Jigsaw as part of Google parent Alphabet’s technology incubator. Outline will give journalists a more secure way to access Internet content by making it easier for them to set up their own VPN. 

Google News Initiative Funding

Google will spend $300 million over the next three years on various initiatives to help news organizations sustain business growth and drive quality journalism. 

Under a new Google News Initiative (GNI) announced March 20, the company will also work on empowering news organizations through technological innovation such as machine learning and natural language processing tools. 

Philipp Schindler Google’s chief business officer described GNI as deepening Google’s commitment to helping the news industry cope with challenges to their business models from digital transformation. 

Further reading

While the demand for quality journalism remains high, the manner in which journalism is created, consumed and paid for have changed dramatically with the industry-wide transition to digital, he wrote in the blog announcing the initiative. 

“Business models for journalism continue to change drastically,” he said. “The rapid evolution of technology is challenging all institutions, including the news industry—to keep pace.” 

Even the most respected news organizations in the U.S. including the New York Times, Wall Street Journal and Washington Post as well as major network television news groups have struggled to make profits in the Internet era, which gave rise to enormous competition for advertising revenue. 

One major focus for GNI will be on combating the spread of online misinformation especially during breaking news situations. On the technology front, Google is working on tools that will be capable of better separating content from authoritative sources with that from purveyors of misinformation and inaccurate content. The company is taking a similar approach to content on YouTube and has begun to highlight content from verified sources in a separate ‘Top News’ shelf. 

In addition, Google will work directly with newsrooms to identify and combat misinformation, Schindler said. The company has launched a new Disinfo Lab that will work with Harvard University’s First Draft project to combat fake and inaccurate news during elections and major news events.  

Google is also partnering with Stanford University, the Poynter Institute and the Local Media Association in a campaign dubbed MediaWise to improve digital information literacy among youth. 

Google, Facebook and Twitter have come under considerable scrutiny in recent months for allowing their platforms to be used to spread false news stories and political propaganda during the 2016 general elections. Many believe such stories played a significant role in influencing the outcome of the elections. 

As part of its effort to help news organizations sustain and grow their businesses Google has launched a new Subscribe with Google service that makes it much simpler for users to subscribe to digital news content of their choice.  

With it, consumers will be able to use the information in their Google accounts—including credit and debit card data—to subscribe to and pay for publications with a single click. The publisher’s products will then be accessible via the publisher’s site, mobile app and even Google Search. 

Google is also testing a prototype of a ‘Propensity to Subscribe’ technology that will let publishers identify and target potential subscribers better. 

As part of the GNI initiative, Google is working on tools that can help improve newsroom efficiency and enable richer storytelling experiences, Schindler said. As one example he pointed to how Hearst Newspapers is currently using a Google natural language processing API to sort, label and categorize some 3,000 articles daily. 

Another example is a new open-source virtual private network called Outline developed by Jigsaw as part of Google parent Alphabet’s technology incubator. Outline will give journalists a more secure way to access Internet content by making it easier for them to set up their own VPN. 

Google News Initiative Funding

Google will spend $300 million over the next three years on various initiatives to help news organizations sustain business growth and drive quality journalism. 

Under a new Google News Initiative (GNI) announced March 20, the company will also work on empowering news organizations through technological innovation such as machine learning and natural language processing tools. 

Philipp Schindler Google’s chief business officer described GNI as deepening Google’s commitment to helping the news industry cope with challenges to their business models from digital transformation. 

Further reading

While the demand for quality journalism remains high, the manner in which journalism is created, consumed and paid for have changed dramatically with the industry-wide transition to digital, he wrote in the blog announcing the initiative. 

“Business models for journalism continue to change drastically,” he said. “The rapid evolution of technology is challenging all institutions, including the news industry—to keep pace.” 

Even the most respected news organizations in the U.S. including the New York Times, Wall Street Journal and Washington Post as well as major network television news groups have struggled to make profits in the Internet era, which gave rise to enormous competition for advertising revenue. 

One major focus for GNI will be on combating the spread of online misinformation especially during breaking news situations. On the technology front, Google is working on tools that will be capable of better separating content from authoritative sources with that from purveyors of misinformation and inaccurate content. The company is taking a similar approach to content on YouTube and has begun to highlight content from verified sources in a separate ‘Top News’ shelf. 

In addition, Google will work directly with newsrooms to identify and combat misinformation, Schindler said. The company has launched a new Disinfo Lab that will work with Harvard University’s First Draft project to combat fake and inaccurate news during elections and major news events.  

Google is also partnering with Stanford University, the Poynter Institute and the Local Media Association in a campaign dubbed MediaWise to improve digital information literacy among youth. 

Google, Facebook and Twitter have come under considerable scrutiny in recent months for allowing their platforms to be used to spread false news stories and political propaganda during the 2016 general elections. Many believe such stories played a significant role in influencing the outcome of the elections. 

As part of its effort to help news organizations sustain and grow their businesses Google has launched a new Subscribe with Google service that makes it much simpler for users to subscribe to digital news content of their choice.  

With it, consumers will be able to use the information in their Google accounts—including credit and debit card data—to subscribe to and pay for publications with a single click. The publisher’s products will then be accessible via the publisher’s site, mobile app and even Google Search. 

Google is also testing a prototype of a ‘Propensity to Subscribe’ technology that will let publishers identify and target potential subscribers better. 

As part of the GNI initiative, Google is working on tools that can help improve newsroom efficiency and enable richer storytelling experiences, Schindler said. As one example he pointed to how Hearst Newspapers is currently using a Google natural language processing API to sort, label and categorize some 3,000 articles daily. 

Another example is a new open-source virtual private network called Outline developed by Jigsaw as part of Google parent Alphabet’s technology incubator. Outline will give journalists a more secure way to access Internet content by making it easier for them to set up their own VPN.