Vitess Security Audit

Adrianna Tan posted this on March 15, 2019

PlanetScale was founded by the co-founders and maintainers of the open source Vitess project a year ago. After many years of working with companies that want to run open source Vitess, we saw the need to build a multi-cloud Database-as-a-Service based on Vitess. We also provide professional services and support to companies that want to migrate to, and run production traffic in Vitess.

Security is a top priority for everyone. The lack of independent security testing on open source projects may lead to hesitation in deploying them in production environments. That is why we are pleased to share the results of an independent security test carried out in February 2019 on Vitess.

Here are some highlights.

“In Cure53’s view, there is a clear intention and follow-through on providing a secure system for scaling MySQL databases. This was achieved by keeping the attack surface minimal and selecting the language suited for this implementation. The auditors managed to reach wide-spanning coverage of all aspects pertinent to the main repository of the Vitess software system. The most likely avenues for exploitation were chosen and verified for resilience.”

“The results of this Cure53 assessment funded by CNCF / The Linux Foundation certify that the Vitess database scaler is secure and robust. This very good outcome is achieved by limiting the attack surface, taking appropriate care of user-supplied input with security-driven best practices, as well as - to a certain extent - the usage of the Go language ecosystem.”

“While the results of this assessment are few and far between and may suggest some kind of test limitations, they in fact prove that the Vitess team delivers on the security promises they make.”

We believe Vitess is the right choice for companies that want to turbocharge MySQL performance in the cloud, especially in the Kubernetes environment.

If you have any questions about using Vitess, PlanetScale is happy to help.

Click through to the Vitess blog post to read more about the security audit, and download the results.

    Share this article