Node Day - Node.js Security in the Enterprise

7,693 views

Published on

Adam Baldwin talks about Node.js security in the enterprise for Node Day 2014 hosted at PayPal

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,693
On SlideShare
0
From Embeds
0
Number of Embeds
600
Actions
Shares
0
Downloads
54
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Node Day - Node.js Security in the Enterprise

  1. 1. Node.js Security in the Enterprise
  2. 2. Hi, I’m Adam
  3. 3. Node Security Project
  4. 4. @adam_baldwin @liftsecurity @nodesecurity @evilpacket
  5. 5. Node.js Security in the Enterprise
  6. 6. Enterprise Security in 3 min Protect what makes you money Availability is security Measure & Iterate It's not about the vulnerability You will screw it up anyway
  7. 7. What this talk is about Being informed & Prepared ! The node security landscape ! It's all node's fault
  8. 8. Communication
  9. 9. Understand what the enterprise cares about, then do better.
  10. 10. The enterprise should understand you and do better.
  11. 11. Gathering Intel
  12. 12. nodejs-sec announcements https://groups.google.com/forum/#!forum/nodejs-sec
  13. 13. Node Security Project
  14. 14. Advisories
  15. 15. Understanding the node.js security landscape
  16. 16. The Enterprise is responsible for what you require()
  17. 17. Technical Controls
  18. 18. Linting npm install precommit-hook
  19. 19. Test Cases You do this right?
  20. 20. npm shrinkwrap POST /validate/shrinkwrap GET /validate/:module_name/:version
  21. 21. npm shrinkwrap example curl -X POST https://nodesecurity.io/ validate/shrinkwrap -d @npmshrinkwrap.json -H "content-type: application/json"
  22. 22. retire.js Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules. http://bekk.github.io/retire.js/
  23. 23. What is the greatest vulnerability that you have in the enterprise?
  24. 24. Is it one of the .... OWASP Top 10?
  25. 25. Every Developer on your team.
  26. 26. Peer Review
  27. 27. Peer Review
  28. 28. Peer Review
  29. 29. Peer Review
  30. 30. Blame Node. It's just how we do things.™
  31. 31. </PRESENTATION> @adam_baldwin | @LiftSecurity

×