Nodeday 2014: Security
NodeDay 2014: Security
Akbar S. Ahmed | Apr 1, 2014

What you don't know can hurt you

What you don’t know can make life hard for you. Adam talks about security in large deployments of NodeJS.

Speaker

  • Name: Adam Baldwin
  • Title: Chief Security Officer
  • Company: &yet
  • Twitter: @adam_baldwin

Adam is a co-founder of Lift Security and is Chief Security Office at &yet. &yet performs security audits for node.

Enterprise security

  • Protect what makes money. Rule #1.
  • Availability is security
  • Measure and iterate
  • It’s not about the vulnerability - how you handle it matters
  • You will screw up again - this makes you ask the question about what information you will require to handle the situation (logging, etc.)

Communication

  • Understand what the enterprise cares about, then do better.
  • Compliance is important (legal requirements)
  • Enterprises needs to understand developers more and need to provide the right tools for security
  • Developers need to care about security

Gathering Intel

The Node Security Landscape

  • npm - the enterprise is responsible for what developers require()
  • What is your company’s process for vetting modules? Yahoo has a process as does Wal-mart
  • Don’t put punctuation in module names! The reason is that developers often get the punctuation wrong. For example, npm install socket.io is often incorrectly typed as npm install socketio. This makes it easy to create a malware package of socketio which will be rapidly installed by a large number of developers.

Technical Controls

  • linting - automate linting as some part of development process (i.e. via a watch or as a precommit hook)
  • Write test cases, including test cases for security
  • npm shrinkwrap
  • Add peer review to your process
  • Use retire.js to scan your web app or Node app for use of vulnerable JS libraries and/or Node modules

What’s the greatest vulnerability in the enterprise?

What is the greatest vulnerability? - An item on the OWASP Top 10? - Developers

Developers are greatest threat to security. The solution is developer education.

Peer Review

Peer reviews have a large positive effect on code quality. Code reviews should be a standard part of your process.

Misc

The Node/JS community should copy best practices for security from other languages / communities.




Subscribe to our newsletter

Contact Information

ABOUT EXPONENTIAL.IO

We specialize in helping professional developers, like you, expand your skill set. Our courses are focused on enabling you to learn everything necessary to use a new technology in a live, production application.

LOCATION

All courses are made with love in
Palo Alto, CA.

Subscribe to our newsletter