Node Day - Node.js Security in the Enterprise
-
Upload
evilpacket -
Category
Technology
-
view
105 -
download
0
description
Transcript of Node Day - Node.js Security in the Enterprise
Node.js Security in the Enterprise
Hi, I’m Adam
Node Security Project
@adam_baldwin @liftsecurity @nodesecurity
@evilpacket
Node.js Security in the Enterprise
Enterprise Security in 3 minProtect what makes you money
Availability is security
Measure & Iterate
It's not about the vulnerability
You will screw it up anyway
What this talk is aboutBeing informed & Prepared !The node security landscape !It's all node's fault
Communication
Understand what the enterprise cares about, then do better.
The enterprise should understand you and do better.
Gathering Intel
nodejs-sec announcements
https://groups.google.com/forum/#!forum/nodejs-sec
Node Security Project
Advisories
Understanding the node.js security landscape
The Enterprise is responsible for what you require()
Technical Controls
Lintingnpm install precommit-hook
Test CasesYou do this right?
npm shrinkwrap
/validate/shrinkwrap
/validate/:module_name/:version
POST
GET
npm shrinkwrap example
curl -X POST https://nodesecurity.io/validate/shrinkwrap -d @npm-shrinkwrap.json -H "content-type: application/json"
retire.js
http://bekk.github.io/retire.js/
Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules.
What is the greatest vulnerability that you have in the enterprise?
OWASP Top 10?
Is it one of the ....
Every Developer on your team.
Peer Review
Peer Review
Peer Review
Peer Review
Blame Node. It's just how we do things.™
</PRESENTATION>@adam_baldwin | @LiftSecurity