Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.
2. Liran Tal
@liran_tal
Developer Advocate @Snyk
Node.js Foundation
ecosystem security working group
Reach out on Twitter and say hi 👋
OWASP Project Lead
GitHub Star
3. @liran_tal
Introduction to Open Source Security
Meet Snyk:
Practical Developer-first Security Tooling
Key
Learning
Objectives Play the Hacker 🎩
5. @liran_tal
Application’s Security Risks
Open Source
Libraries
Containers
App Code
IaC
Relying on open source software.
What’s your security and compliance strategy?
100s of Linux packages, and their
vulnerabilities, inherited with base images
#1 cloud vulnerability is misconfiguration [NSA]
Deployed daily - waterfall approach doesn’t
scale. Scans can’t take hours.
10-20% of
codebase
80-90% of
codebase
20. @liran_tal
FROM node
RUN apt-get update
RUN apt-get install -y imagemagick
COPY . /usr/src/goof
WORKDIR /usr/src/goof
RUN npm install
CMD ["npm", "start"]
Big image, many
(vulnerable) libraries?
Containers
44. @liran_tal
Filters the noise, “take home” with --json
Agnostic
Snyk CLI Use it as a linter
Tip: can run code and container scans too
Tip: can scan many ecosystem manifests
Tip: ad-hoc scan an npm package@version
45. @liran_tal
Filters the noise, “take home” with --json
Agnostic
Snyk CLI Use it as a linter
Tip: can run code and container scans too
Tip: can scan many ecosystem manifests
Tip: ad-hoc scan an npm package@version
52. What is a CTF?
Capture the Flag (CTF) is a competition where
teams and individuals compete to solve
security challenges.
● You win by solving the most challenges the
fastest.
CTFs gamify security education, making it fun
and hands-on.
● Participants often exploit vulnerabilities in
webpages or servers to uncover flags.
55. Supported Languages:
● C#
● Go
● Java
● JavaScript
● PHP
● Python
● Ruby
● TypeScript
Ground Rules:
● Must be GitHub
● Must be Public
● Let’s make a REAL difference
The Developer Challenge
https://nodeconf.snykchallenge.io/