1. @darkmsph1t
o n e s i z e f i t s m e
BUILDING SECURE-BY-DEFAULT NODEJS
APPLICATIONS
yolonda smith
AKA: What I did this summer while all the other kids were outside playing
2. @darkmsph1t
the common refrain
“That’s handled somewhere
else
[downstream/upstream/some
other made up place]”
“Is this really that big of a
problem? What’s the
likelihood that anyone will
ever find this?”
“Where does it say we have
to do that?”
5. @darkmsph1t
rules of engagement
1. Assume limited-knowledge or background in security
2. Tech stack used should offer (relatively) low barrier to entry and yet…
• Widely used in production environment I’m familiar with
3. Final application must implement security guidance from a well-known
framework (e.g. NIST, OWASP)
6. @darkmsph1t
key requirements
build “security” in from the very
beginning
contextualized to application
flexible enough to adjust to app
changes
cover all the bases
provide everything needed to build
an application which is ‘secure by
default’
11. @darkmsph1t
• Shouldn’t need domain expertise needed to get basics done
• Security things for other security people
• Security with the application not around the application
12. @darkmsph1t
d e m o n s t r a t i o n
YOU CAN PLAY TOO!
node npm git* Your fave text editor/IDEterminal
18. @darkmsph1t
what are the options?
1. JSONP…please, God, no…
2. Regenerate js for every page load
• Shorten cache period
3. Minimize the amount of 3P javascript running
on sensitive pages
4. Limit the context where 3P javascript can run
(e.g. sandbox) and what permissions it has
(CORS)
5. Track changes in javascript that we do allow
• Make sure we know when failures occur
19. @darkmsph1t
what did we get done?
CACHE
SESSIONS
SECURITY HEADERS
FORMS
CONNECTION
SECRETS
CLIENT
ACCESS CONTROL
CSP
CACHE
CORS
APP DEPENDENCIES
DATABASE
21. @darkmsph1t
what’s next?
1. (More) testing, refactor & documentation
2. Desktop (Electron) app && REST API
3. Introduction of audit through RBAC
• Track policy changes
• Very basic fuzzing & code-audit
4. Port boilerplate to other languages
• GO, Spring, Ruby top priorities
22. @darkmsph1t
unsolicited advice
1. DO know what you have, understand its
value and watch it
a. This includes infrastructure
2. DON’T rely on the pen-test to catch all of
the security issues
3. DO devote at least one sprint/epic on
secure design & code review
4. DO make sure that you have a means of
detecting attempts to circumvent your
controls