Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add blog post for the security audit results #4850

Merged
merged 4 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions content/en/blog/2024/security-audit-results.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
title: OpenTelemetry Security Audit Published
linkTitle: Security Audit Results
date: 2024-07-22
author: '[Austin Parker](https://github.com/austinlparker)'
issue:
sig: GC
---

Thousands of organizations and millions of users around the world rely on
[OpenTelemetry](/) as part of their observability toolkit. To this end, it is
our responsibility as a project to ensure our code is safe, secure, and
performant. In conjunction with [OSTIF](https://ostif.org/) and
[7ASecurity](https://7asecurity.com/), and the support of the
[Cloud Native Computing Foundation](https://www.cncf.io/), we recently engaged
upon a security audit of the OpenTelemetry Collector and four SDKs – Go, Java,
C#, and Python.

We are pleased to announce the publication of this audit, as well as its
results. Two CVEs were identified and remediated prior to the publication of
this audit (see
[CVE-2024-36129](https://nvd.nist.gov/vuln/detail/CVE-2024-36129) for
information on both) in the OpenTelemetry Collector, and five hardening
recommendations were made. Overall, the results of the audit are very positive,
with the auditors noting the high quality of source code and the security best
practices that the project is following.

The conclusion of this audit marks an important milestone on our journey towards
the next stage of maturity in the CNCF, graduation. We’ll have more to share on
that in the coming months. The OpenTelemetry Governance Committee and Security
SIG would also like to personally commend the contributors and maintainers of
OpenTelemetry for their high-quality work over the years.

Finally, we would like to thank the following individuals and groups:

- SIG Security
- SIG Collector
- 7ASecurity
- OSTIF

You can read more about the audit on the
[OSTIF](https://www.ostif.org/otel-audit-complete/) and 7A Security blogs, or
read the
[full report](https://7asecurity.com/reports/pentest-report-opentelemetry.pdf).
8 changes: 8 additions & 0 deletions static/refcache.json
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@
"StatusCode": 206,
"LastSeen": "2024-06-04T17:29:49.77219755+02:00"
},
"https://7asecurity.com/reports/pentest-report-opentelemetry.pdf": {
"StatusCode": 206,
"LastSeen": "2024-07-22T14:20:49.972502516Z"
},
"https://access.redhat.com/products/ansible-tower-red-hat": {
"StatusCode": 200,
"LastSeen": "2024-01-18T08:05:55.59597-05:00"
Expand Down Expand Up @@ -9727,6 +9731,10 @@
"StatusCode": 200,
"LastSeen": "2024-01-18T19:55:46.046387-05:00"
},
"https://www.ostif.org/otel-audit-complete/": {
"StatusCode": 200,
"LastSeen": "2024-07-22T14:20:47.739450411Z"
},
"https://www.otelbin.io/": {
"StatusCode": 200,
"LastSeen": "2024-01-30T16:14:44.039011-05:00"
Expand Down