Managing Security in
The Node.js Project
With your host
My Name is Myles
I am gainfully employed by Google as a Developer Advocate
Focusing on the Node.js ecosystem and GCP
The opinions expressed in this talk are solely my own
Common Weakness Enumeration
Common Vulnerabilities and Exposures
Common Vulnerability Scoring System
Internet Bug Bounty
What kind of vulnerabilities will we discuss today?
- Vulnerabilities to the core Node.js platform
- Vulnnerabilities in the Node.js Ecosystem
- Vulnerabiltiies in Node.js Applications
What types of threats are there to Node.js Core?
- Buffer Overflow
- Denial of Service
- Data Exfiltration
- Remote Code Execution
- Hostname Spoofing
- Vulnerabilities in Dependencies
LifeCycle of a Vulnerability in Core
- Researcher Reports Bug
- Triaged in HackerOne
- Communicated and Confirmed
- Solution Identified
- Security Release Made
- Vulnerability Disclosed
What types of threats are there to the Ecosystem and Applications?
- Everything from before
- Supply Chain Attacks
- Weak Crypto
- Poor Developer Experience
- Malicious 3rd party code
- Query Injection
A case study in supply chain attacks
How do you protect yourself?
Always use the latest version of a maintained Node.js release line
Tools like Greenkeeper or Dependabot
Still allow for velocity via sandboxing
Where do you run your code?
Thank You
@MylesBorins