SlideShare a Scribd company logo

Building Secure By Default Nodejs Applications

Download as PPTX, PDF
Y
Yolonda Smith

This presentation describes the process to build secure-by-default nodejs applications using a nodejs application called _spartan

Technology
1 of 25
@darkmsph1t o n e s i z e f i t s m e BUILDING SECURE-BY-DEFAULT NODEJS APPLICATIONS yolonda smith AKA: What I did this summer while all the other kids were outside playing
@darkmsph1t the common refrain “That’s handled somewhere else [downstream/upstream/some other made up place]” “Is this really that big of a problem? What’s the likelihood that anyone will ever find this?” “Where does it say we have to do that?”
@darkmsph1t
@darkmsph1t t h e c h a l l e n g e CAN I FOLLOW MY OWN ADVICE?
@darkmsph1t rules of engagement 1. Assume limited-knowledge or background in security 2. Tech stack used should offer (relatively) low barrier to entry and yet… • Widely used in production environment I’m familiar with 3. Final application must implement security guidance from a well-known framework (e.g. NIST, OWASP)
@darkmsph1t key requirements build “security” in from the very beginning contextualized to application flexible enough to adjust to app changes cover all the bases provide everything needed to build an application which is ‘secure by default’
@darkmsph1t ___ ___ _ ___ _____ _ _ _ / __| | _ /_ |_ |_ _| /_ | | | ___ __ | _/ / _ | / | | / _ | .` | |___| |___/ |_ | /_/ _ |_ |_ |_| /_ / _ |_ | _| IN T R ODUCING
@darkmsph1t what is it? • node app deployed as an npm cli module • Delivers policy (security.json) & boilerplate code/middleware for immediate use • Built-in support: • Redis • MongoDB • Firebase && local authentication • Synk => application dependency vulnerabilities • mocha-chai => unit testing • Coveralls => test coverage • TravisCI-ready
@darkmsph1t concept of operations CACHE DATABASE SESSIONS SECURITY HEADERS FORMS CONNECTION SECRETS CLIENT ACCESS CONTROL CSP CACHE CORS APP DEPENDENCIES
@darkmsph1t
@darkmsph1t • Shouldn’t need domain expertise needed to get basics done • Security things for other security people • Security with the application not around the application
@darkmsph1t d e m o n s t r a t i o n YOU CAN PLAY TOO! node npm git* Your fave text editor/IDEterminal
@darkmsph1t npm init -y Optional : git init
@darkmsph1t npm install -g spartan-shield yarn add spartan-shield
@darkmsph1t $ _spartan -h @darkmsph1t
@darkmsph1t p r a c t i c a l e x a m p l e NEUTRALIZING DIGITAL SKIMMERS WITH _SPARTAN
@darkmsph1t@darkmsph1t
@darkmsph1t what are the options? 1. JSONP…please, God, no… 2. Regenerate js for every page load • Shorten cache period 3. Minimize the amount of 3P javascript running on sensitive pages 4. Limit the context where 3P javascript can run (e.g. sandbox) and what permissions it has (CORS) 5. Track changes in javascript that we do allow • Make sure we know when failures occur
@darkmsph1t what did we get done? CACHE SESSIONS SECURITY HEADERS FORMS CONNECTION SECRETS CLIENT ACCESS CONTROL CSP CACHE CORS APP DEPENDENCIES DATABASE
@darkmsph1t what i learned
@darkmsph1t what’s next? 1. (More) testing, refactor & documentation 2. Desktop (Electron) app && REST API 3. Introduction of audit through RBAC • Track policy changes • Very basic fuzzing & code-audit 4. Port boilerplate to other languages • GO, Spring, Ruby top priorities
@darkmsph1t unsolicited advice 1. DO know what you have, understand its value and watch it a. This includes infrastructure 2. DON’T rely on the pen-test to catch all of the security issues 3. DO devote at least one sprint/epic on secure design & code review 4. DO make sure that you have a means of detecting attempts to circumvent your controls
@darkmsph1t q u e s t i o n s
@darkmsph1t o n e s i z e f i t s m e BUILDING SECURE-BY-DEFAULT NODEJS APPLICATIONS @darkmsph1t darkmsph1t.github.io darkmsph1t@gmail.com
@darkmsph1t • All things skimmer: • https://otx.alienvault.com/pulse/5ba3c739f1b1ed67ed7764c1 • https://gwillem.gitlab.io/tag/skimming/ • https://gwillem.gitlab.io/2018/09/18/abs-cbn.com-hacked/ resources & references

Recommended

The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...
The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...
The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...Swiss Data Forum Swiss Data Forum
 
Embracing Failure
Embracing FailureEmbracing Failure
Embracing FailureOwen Wang
 
Nagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios
 
Be Bop7
Be Bop7Be Bop7
Be Bop7CoVideo Systems
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Anand Sampat
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 

Recommended

The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...
The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...
The Power of Mobile & Cloud: Building a Homesecurity-System with Microsoft Az...Swiss Data Forum Swiss Data Forum
 
Embracing Failure
Embracing FailureEmbracing Failure
Embracing FailureOwen Wang
 
Nagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios
 
Be Bop7
Be Bop7Be Bop7
Be Bop7CoVideo Systems
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Version Control in Machine Learning + AI (Stanford)
Version Control in Machine Learning + AI (Stanford)Anand Sampat
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017Tess Ferrandez
 
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookKernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookAnne Nicolas
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Analysis of an exploited npm package
Analysis of an exploited npm packageAnalysis of an exploited npm package
Analysis of an exploited npm packageParth Parmar
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
L27
L27L27
L27NathannyabvureMapisa
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesRavishankar Somasundaram
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)Robert Lemke
 
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...Nicolas Fränkel
 
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...Nicolas Fränkel
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

More Related Content

Similar to Building Secure By Default Nodejs Applications

Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookKernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookAnne Nicolas
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Analysis of an exploited npm package
Analysis of an exploited npm packageAnalysis of an exploited npm package
Analysis of an exploited npm packageParth Parmar
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)Robert Lemke
 
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...Nicolas Fränkel
 
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...Nicolas Fränkel
 

Similar to Building Secure By Default Nodejs Applications (20)

Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017
 
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookKernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Analysis of an exploited npm package
Analysis of an exploited npm packageAnalysis of an exploited npm package
Analysis of an exploited npm package
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
L27
L27L27
L27
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005
 
What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)What frameworks can do for you – and what not (IPC14 SE)
What frameworks can do for you – and what not (IPC14 SE)
 
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
 
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Building Secure By Default Nodejs Applications

  • 1. @darkmsph1t o n e s i z e f i t s m e BUILDING SECURE-BY-DEFAULT NODEJS APPLICATIONS yolonda smith AKA: What I did this summer while all the other kids were outside playing
  • 2. @darkmsph1t the common refrain “That’s handled somewhere else [downstream/upstream/some other made up place]” “Is this really that big of a problem? What’s the likelihood that anyone will ever find this?” “Where does it say we have to do that?”
  • 4. @darkmsph1t t h e c h a l l e n g e CAN I FOLLOW MY OWN ADVICE?
  • 5. @darkmsph1t rules of engagement 1. Assume limited-knowledge or background in security 2. Tech stack used should offer (relatively) low barrier to entry and yet… • Widely used in production environment I’m familiar with 3. Final application must implement security guidance from a well-known framework (e.g. NIST, OWASP)
  • 6. @darkmsph1t key requirements build “security” in from the very beginning contextualized to application flexible enough to adjust to app changes cover all the bases provide everything needed to build an application which is ‘secure by default’
  • 7. @darkmsph1t ___ ___ _ ___ _____ _ _ _ / __| | _ /_ |_ |_ _| /_ | | | ___ __ | _/ / _ | / | | / _ | .` | |___| |___/ |_ | /_/ _ |_ |_ |_| /_ / _ |_ | _| IN T R ODUCING
  • 8. @darkmsph1t what is it? • node app deployed as an npm cli module • Delivers policy (security.json) & boilerplate code/middleware for immediate use • Built-in support: • Redis • MongoDB • Firebase && local authentication • Synk => application dependency vulnerabilities • mocha-chai => unit testing • Coveralls => test coverage • TravisCI-ready
  • 9. @darkmsph1t concept of operations CACHE DATABASE SESSIONS SECURITY HEADERS FORMS CONNECTION SECRETS CLIENT ACCESS CONTROL CSP CACHE CORS APP DEPENDENCIES
  • 11. @darkmsph1t • Shouldn’t need domain expertise needed to get basics done • Security things for other security people • Security with the application not around the application
  • 12. @darkmsph1t d e m o n s t r a t i o n YOU CAN PLAY TOO! node npm git* Your fave text editor/IDEterminal
  • 14. @darkmsph1t npm install -g spartan-shield yarn add spartan-shield
  • 16. @darkmsph1t p r a c t i c a l e x a m p l e NEUTRALIZING DIGITAL SKIMMERS WITH _SPARTAN
  • 18. @darkmsph1t what are the options? 1. JSONP…please, God, no… 2. Regenerate js for every page load • Shorten cache period 3. Minimize the amount of 3P javascript running on sensitive pages 4. Limit the context where 3P javascript can run (e.g. sandbox) and what permissions it has (CORS) 5. Track changes in javascript that we do allow • Make sure we know when failures occur
  • 19. @darkmsph1t what did we get done? CACHE SESSIONS SECURITY HEADERS FORMS CONNECTION SECRETS CLIENT ACCESS CONTROL CSP CACHE CORS APP DEPENDENCIES DATABASE
  • 21. @darkmsph1t what’s next? 1. (More) testing, refactor & documentation 2. Desktop (Electron) app && REST API 3. Introduction of audit through RBAC • Track policy changes • Very basic fuzzing & code-audit 4. Port boilerplate to other languages • GO, Spring, Ruby top priorities
  • 22. @darkmsph1t unsolicited advice 1. DO know what you have, understand its value and watch it a. This includes infrastructure 2. DON’T rely on the pen-test to catch all of the security issues 3. DO devote at least one sprint/epic on secure design & code review 4. DO make sure that you have a means of detecting attempts to circumvent your controls
  • 23. @darkmsph1t q u e s t i o n s
  • 24. @darkmsph1t o n e s i z e f i t s m e BUILDING SECURE-BY-DEFAULT NODEJS APPLICATIONS @darkmsph1t darkmsph1t.github.io darkmsph1t@gmail.com
  • 25. @darkmsph1t • All things skimmer: • https://otx.alienvault.com/pulse/5ba3c739f1b1ed67ed7764c1 • https://gwillem.gitlab.io/tag/skimming/ • https://gwillem.gitlab.io/2018/09/18/abs-cbn.com-hacked/ resources & references