Node Day - Node.js Security in the Enterprise

Post on 28-Jan-2015

105 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Adam Baldwin talks about Node.js security in the enterprise for Node Day 2014 hosted at PayPal

Transcript of Node Day - Node.js Security in the Enterprise

Node.js Security in the Enterprise

Hi, I’m Adam

Node Security Project

@adam_baldwin @liftsecurity @nodesecurity

@evilpacket

Node.js Security in the Enterprise

Enterprise Security in 3 minProtect what makes you money

Availability is security

Measure & Iterate

It's not about the vulnerability

You will screw it up anyway

What this talk is aboutBeing informed & Prepared !The node security landscape !It's all node's fault

Communication

Understand what the enterprise cares about, then do better.

The enterprise should understand you and do better.

Gathering Intel

nodejs-sec announcements

https://groups.google.com/forum/#!forum/nodejs-sec

https://groups.google.com/forum/#!forum/nodejs-sec

Node Security Project

Advisories

Understanding the node.js security landscape

The Enterprise is responsible for what you require()

Technical Controls

Lintingnpm install precommit-hook

Test CasesYou do this right?

npm shrinkwrap

/validate/shrinkwrap

/validate/:module_name/:version

POST

GET

npm shrinkwrap example

curl -X POST https://nodesecurity.io/validate/shrinkwrap -d @npm-shrinkwrap.json -H "content-type: application/json"

retire.js

http://bekk.github.io/retire.js/

Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules.

http://bekk.github.io/retire.js/

What is the greatest vulnerability that you have in the enterprise?

OWASP Top 10?

Is it one of the ....

Every Developer on your team.

Peer Review

Peer Review

Peer Review

Peer Review

Blame Node. It's just how we do things.™

</PRESENTATION>@adam_baldwin | @LiftSecurity

Top related

node - cdn.cs164.netcdn.cs164.net/2014/spring/talks/node-0/node-0.pdf · Node.js Event Loop Event Queue Event Loop Thread Pool filesystem network process other
 Documents
Getting started with - Nikola Brežnjak · 2014-11-27 · Running Node.js Node.js CLI console.log('We're MEAN'); node mean.js NPM (node package manager) – comes with Node.js installation
 Documents
JavaScript goes Enterprise - Node.js-Anwendungen mit Visual Studio und den Node.js-Tools entwickeln
 Software
Node home automation with Node.js and MQTT
 Technology
Node.js - the corejava.ociweb.com/mark/NFJS/NodeCore.pdf · Node.js Event Loop When a Node program starts, it automatically starts an event loop node name.js The currently running
 Documents
Configuration Guide · 2020. 2. 14. · 8.1 Install node.js Package Manager and node.js ... The node-RED application contains an MQTT client that receives sensor data and displays
 Documents
Full stack development with Node and NoSQL - Austin Node.JS Group - October 2016
 Software
Socket.IO Node.js Hello World Chat Application · — node index Igox vi index. js node index. js vi index. html node index 24 index. html 14 index. js . ø2 node modules ø2 package.json
 Documents
Enterprise Node - Code Discoverability
 Technology
Collaboration on Large Displays using Web Technologies · Node.js for Science –Numbers.js –provides substantial math functionality for server-side use –node-lapack –node.js
 Documents
Node.js Einführung · Node.js Einführung | Manuel Hart Seite 14 1. Node.js Grundlagen npm Weitere externe Module können über npm (node package manager) geladen werden. (Artistic
 Documents
c-treeEDGE IoT Database - FairCom€¦ · Node.js REST API Multimodel Design c-treeEDGE consists of a collection of connectors (for use with ThingWorx, Node-RED, MQTT, Node.js, etc.)
 Documents
Building an alarm clock with node - Amazon Web Servicesfelixge.s3.amazonaws.com/11/node.js - alarm clock.pdf · Building an alarm clock with node.js or Hacking vs. Engineering Felix
 Documents
Front-end with Node · 2014/11/15TokyoNodeFest2014 @ahomu Front-end with Node.js for Beginners ← 重要!!
 Documents
Asynchronous programming in Node - MathUniPDtullio/IS-1/2016/Seminari/Async.pdf · What is Node.js? 5. Event-driven Much of the Node.js core API is built around an idiomatic asynchronous
 Documents
node-crate: node.js and big data
 Data & Analytics
A Node.JS Bag of Goodies for Analysing Web Traffictalks.bluesmoon.info/node-modules/node-modules.pdf · A Node.JS Bag of Goodies for Analysing Web Traffic Philip Tellis / philip@lognormal.com
 Documents
Node js - Enterprise Class
 Technology
Node - GOTO ConferenceOct 2017 Jan 2018 ABL Apr 2018 Jul 2018 Oct 2018 Jan 2019 Apr 2019 Jul 2019 Oct 2019 Master Node.js 4 Node.js 6 Node.js 8 Node.js 9 Node.js 10 N E MAINTENANCE
 Documents
HUV - Packt Publishing · Node.js Node.js command prompt Node.js documentation Node.js website Node js Uninstall Node.js Terminal - debian@mapserver: -/013-3.11.1 ... Indonesia Parco
 Documents

Copyright © 2022 FDOCUMENTS