Managing Security in

The Node.js Project

With your host

@MylesBorins

oh hai

My Name is Myles

itsa me!

I am gainfully employed by Google as a Developer Advocate

Focusing on the Node.js ecosystem and GCP

Google Cloud Platform
The opinions expressed in this talk are solely my own

A glossary

Mitre

CWE

Common Weakness Enumeration

CVE

Common Vulnerabilities and Exposures

CNA

CVE Numbering Authority

CVSS

Common Vulnerability Scoring System

Zero Day

Embargo

Triage

HackerOne

IBB

Internet Bug Bounty

What kind of vulnerabilities will we discuss today?

What types of threats are there to Node.js Core?

LifeCycle of a Vulnerability in Core

https://nodejs.org/en/security/

https://hackerone.com/nodejs/

CVE-2017-14919

CWE-20 Improper input validation

Blog Post

Fix

CVE-2018-7160

CWE-290 Authentication Bypass by Spoofing

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action

Blog Post

CVE-2018-12115

CWE-787 Out-of-bounds Write

Blog Post

E_TOO_MANY_VULNS

What types of threats are there to the Ecosystem and Applications?

nodesecroadmap.fyi

Ecosystem HackerOne

A case study in supply chain attacks

EventStream

Nov 20th, 2018

Github Report

How do you protect yourself?

Always use the latest version of a maintained Node.js release line

npm audit

Tools like Greenkeeper or Dependabot

Audit all dependencies

Still allow for velocity via sandboxing

Where do you run your code?

Questions?

Thank You

a surfing puppy

@MylesBorins