This document discusses securing an enterprise Node.js environment. It recommends using Node LTS versions for stability, containerizing applications for isolation, and securing dependencies by whitelisting modules. It also covers authenticating users with JWT, authorizing access with scopes and roles, validating input data, encrypting sensitive data, and ensuring HTTPS is used everywhere. Securing the runtime is important to protect the company from threats, improve confidence, and meet regulations.
5. BENEFITS
ā¢ Protects your company from potential threats
ā¢ Improves confidence in code and systems
ā¢ Helps you meet legal/organizational regulations
7. NODE LTS VERSIONS
ā¢ Official Node.js long term support versions
ā¢ Offers a solid foundation to build apps on (No breaking changes)
ā¢ Provides a maintenance window where critical bug fixes and security fixes
are only permitted commits
8.
9. N | SOLID - ENTERPRISE RUNTIME
ā¢ Enables deep performance insights (one click flame graphs)
ā¢ CLI enabled for easy CI/CD integration and automatic control
ā¢ Advanced console for analyzing your entire Node.js infrastructure
ā¢ Alerting through threshold monitoring
12. CONTAINERIZATION
ā¢ Boxes up your application and all itās dependencies
ā¢ Provides layer of abstraction from server
ā¢ Provides isolation from other applications
ā¢ Images can be checked for vulnerabilities
17. WHITELISTING / BLACKLISTING MODULES
ā¢ Blacklisting: Allow use of any public module except the ones on the list
ā¢ Whitelisting: Allow use of only the public modules on the list
ā¢ Great for meeting audit and legal obligations
ā¢ Requires a private registry (NPM Enterprise, Sinopia, etc)
18. NODE SECURITY PROJECT
ā¢ Keeps a database of all known node module vulnerabilities
ā¢ Offers a CLI tool for easy CI/CD integration
ā¢ Maintained by the community and the best Node security experts
in the industry (Adam Baldwin)
19. NPM SHRINKWRAP & SHRINKPACK
ā¢ Prevent dependency regression (unwanted dependency updates)
ā¢ Localize tarballs, no need to call to NPM each time you need the
module, this greatly speeds up builds as well
22. AUTHENTICATION
ā¢ Authentication: verify identity of user/client
ā¢ Should support JWT header and Basic Auth
ā¢ JWT: JSON Web Tokens are an open, industry standard RFC 7519
method for representing claims securely between two parties
25. AUTHORIZATION
ā¢ Authorization: verify permission of action by user/client
ā¢ Uses āScopesā to define permissions
ā¢ āRolesā define a group of āScopesā
ā¢ āScopesā are set on endpoints for fine-grained control
26. DATA VALIDATION
ā¢ Prevents dirty data from entering your system
ā¢ Allows you to define schemas that your documentation engines can
read
ā¢ Provides in code documentation on valid endpoint parameters
28. HTTPS ALL THE THINGS
ā¢ Encrypts data sent over the internet
ā¢ Prevents packet sniffing and man in the middle attacks
ā¢ Generally terminated at CDN layer (AWS Cloudfront, Cloudflare, Fastly, etc)
ā¢ HTTPS internally provides better security but adds latency to requests
29. ENCRYPTING DATA
ā¢ You should ALWAYS encrypt sensitive information (passwords,
SSNs, credit card numbers, etc)
ā¢ Do some research on encryption best practices
ā¢ Make sure your encryption keys are secret
32. JavaScript is replacing Java, Ruby, and .NET as the technology of choice for
companies that want to build enterprise software faster, and with fewer
resources. Learn about enterprise JavaScript applications at every level of the
stack. As well as how to secure, integrate, test, store, monitor, and deploy
them.
OāREILLY SOFTWARE ARCHITECTURE
CONFERENCE
Architecting For Enterprise in Node.js