Managing Security in

The Node.js Project

With your host

@MylesBorins

oh hai

My Name is Myles

I am gainfully employed by Google as a Developer Advocate

Focusing on the Node.js ecosystem and GCP

The opinions expressed in this talk are solely my own

A glossary

Mitre

CWE

Common Weakness Enumeration

CVE

Common Vulnerabilities and Exposures

CNA

CVE Numbering Authority

CVSS

Common Vulnerability Scoring System

Zero Day

Embargo

Triage

HackerOne

What kind of vulnerabilities will we discuss today?

• Vulnerabilities to the core Node.js platform
• Vulnnerabilities in the Node.js Ecosystem
• Vulnerabiltiies in Node.js Applications

What types of threats are there to Node.js Core?

• Buffer Overflow
• Denial of Service
• Data Exfiltration
• Remote Code Execution
• Hostname Spoofing
• Vulnerabilities in Dependencies

LifeCycle of a Vulnerability in Core

• Researcher Reports Bug
• Triaged in HackerOne
• Communicated and Confirmed
• Solution Identified
• Security Release Made
• Vulnerability Disclosed

https://nodejs.org/en/security/

https://hackerone.com/nodejs/

CVE-2017-14919

CWE-20 Improper input validation

Blog Post

Fix

CVE-2018-7160

CWE-290 Authentication Bypass by Spoofing

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action

Blog Post

CVE-2018-12115

CWE-787 Out-of-bounds Write

Blog Post

E_TOO_MANY_VULNS

What types of threats are there to the Ecosystem and Applications?

• Everything from before
• Supply Chain Attacks
• Weak Crypto
• Poor Developer Experience
• Malicious 3rd party code
• Query Injection

nodesecroadmap.fyi

Ecosystem HackerOne

A case study in supply chain attacks

EventStream

Nov 20th, 2018

Github Report

How do you protect yourself?

Always use the latest version of a maintained Node.js release line

npm audit

Tools like Greenkeeper or Dependabot

Audit all dependencies

Still allow for velocity via sandboxing

Where do you run your code?

Questions?

Thank You

@MylesBorins