Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stranger Danger (NodeSummit, 2016)


Published on

npm packages are awesome, but also introduce risk.
This presentation explains how packages may introduce known vulnerabilities into your application, explains their impact, and most importantly, shows how to protect yourself.

The few slides were complemented by running several vulnerability exploits against the vulnerable demo app Goof from here:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Stranger Danger (NodeSummit, 2016)

  1. 1. Stranger Danger Guy Podjarny, Snyk @guypod
  2. 2. About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber part of Israel Defense Forces • First Web App Firewall, Dynamic/static App Sec Tester • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
  3. 3. npm
  4. 4. 
 >363,000 packages 
 >5.5B downloads/month >65,000 publishers npm usage 
 Has Exploded
  5. 5. JavaScript has Won
  6. 6. A typical Node.js app has 
 100s or 1,000s of dependencies Some direct, most indirect
  7. 7. Your App
  8. 8. Your Code Your App
  9. 9. Each Dependency Is A Security Risk
  10. 10. Do You Know 
 Which Dependencies 
 You Have?
  11. 11. Do you know, for 
 EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
  12. 12. Do you know, for 
 EVERY SINGLE DEPENDENCY if it underwent any Security Testing?
  13. 13. Do you know, for 
 EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?
  14. 14. Open Source is written by 
  15. 15. Open Source is written by 
 People Strangers
  16. 16.
  17. 17.
  18. 18. Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they are Malicious?
  19. 19. Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they’ve been Compromised?
  20. 20. It’s a BIG Problem First step: Known Vulnerabilities
  21. 21. ~14% 
 of npm Packages Carry 
 Known Vulnerabilities ~76% of Snyk users found vulns in their apps Source: Snyk data, June 2016
  22. 22. 1. How do I protect myself?
  23. 23. 1. How do I protect myself? 2. Can I learn from these vulns?
  24. 24. Live Hacking Begins…
  25. 25. Don’t start hacking sites… It’s illegal. And impolite.
  26. 26. JavaScript Takeaways • Consider all encodings • Notably HTML & URL Encoding • Better yet: Whitelist instead of Blacklist • Prevent long algorithm runs • Control Regexp input lengths • Don’t initialize Buffer with integers • Beware JSON type manipulations
  27. 27. npm packages takeaway • Find vulnerabilities • Be sure to test ALL your applications • Fix vulnerabilities • Upgrade when possible, patch when needed • Prevent adding vulnerable module • Break the build, test in pull requests • Respond quickly to new vulns • Track vuln DBs, or use Snyk! </shameless plug>
  28. 28. npm Is Awesome
  29. 29. npm Is Awesome Please Enjoy Responsibly Questions? Guy Podjarny, Snyk @guypod