Node.js Security in the Enterprise

Hi, I’m Adam

Node Security Project

@adam_baldwin @liftsecurity @nodesecurity

@evilpacket

Node.js Security in the Enterprise

Enterprise Security in 3 minProtect what makes you money

Availability is security

Measure & Iterate

It's not about the vulnerability

You will screw it up anyway

What this talk is aboutBeing informed & Prepared !The node security landscape !It's all node's fault

Communication

Understand what the enterprise cares about, then do better.

The enterprise should understand you and do better.

Gathering Intel

nodejs-sec announcements

https://groups.google.com/forum/#!forum/nodejs-sec

Node Security Project

Advisories

Understanding the node.js security landscape

The Enterprise is responsible for what you require()

Technical Controls

Lintingnpm install precommit-hook

Test CasesYou do this right?

npm shrinkwrap

/validate/shrinkwrap

/validate/:module_name/:version

POST

GET

npm shrinkwrap example

curl -X POST https://nodesecurity.io/validate/shrinkwrap -d @npm-shrinkwrap.json -H "content-type: application/json"

retire.js

http://bekk.github.io/retire.js/

Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules.

What is the greatest vulnerability that you have in the enterprise?

OWASP Top 10?

Is it one of the ....

Every Developer on your team.

Peer Review

Peer Review

Peer Review

Peer Review

Blame Node. It's just how we do things.™

</PRESENTATION>@adam_baldwin | @LiftSecurity