node day - node.js security in the enterprise
DESCRIPTION
Adam Baldwin talks about Node.js security in the enterprise for Node Day 2014 hosted at PayPalTRANSCRIPT
Node.js Security in the Enterprise
Hi, I’m Adam
Node Security Project
@adam_baldwin @liftsecurity @nodesecurity
@evilpacket
Node.js Security in the Enterprise
Enterprise Security in 3 minProtect what makes you money
Availability is security
Measure & Iterate
It's not about the vulnerability
You will screw it up anyway
What this talk is aboutBeing informed & Prepared !The node security landscape !It's all node's fault
Communication
Understand what the enterprise cares about, then do better.
The enterprise should understand you and do better.
Gathering Intel
nodejs-sec announcements
https://groups.google.com/forum/#!forum/nodejs-sec
Node Security Project
Advisories
Understanding the node.js security landscape
The Enterprise is responsible for what you require()
Technical Controls
Lintingnpm install precommit-hook
Test CasesYou do this right?
npm shrinkwrap
/validate/shrinkwrap
/validate/:module_name/:version
POST
GET
npm shrinkwrap example
curl -X POST https://nodesecurity.io/validate/shrinkwrap -d @npm-shrinkwrap.json -H "content-type: application/json"
retire.js
http://bekk.github.io/retire.js/
Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules.
What is the greatest vulnerability that you have in the enterprise?
OWASP Top 10?
Is it one of the ....
Every Developer on your team.
Peer Review
Peer Review
Peer Review
Peer Review
Blame Node. It's just how we do things.™
</PRESENTATION>@adam_baldwin | @LiftSecurity