This document discusses securing an enterprise Node.js environment. It recommends using Node LTS versions for stability, containerizing applications for isolation, and securing dependencies by whitelisting modules. It also covers authenticating users with JWT, authorizing access with scopes and roles, validating input data, encrypting sensitive data, and ensuring HTTPS is used everywhere. Securing the runtime is important to protect the company from threats, improve confidence, and meet regulations.

1. ENTERPRISE NODE
SECURING YOUR ENVIRONMENT

2. ABOUT ME
Tech Lead @ MLS
Medium: @kurtiskemple
Twitter: @kurtiskemple
GitHub: @kkemple

3. REPO FOR THIS WEBINAR
KKEMPLE/AWESOME-ENTERPRISE-WEB-SERVICE

4. WHY IS SECURING YOUR
ENVIRONMENT IMPORTANT?

5. BENEFITS
• Protects your company from potential threats
• Improves confidence in code and systems
• Helps you meet legal/organizational regulations

6. SECURING YOUR RUNTIME

7. NODE LTS VERSIONS
• Official Node.js long term support versions
• Offers a solid foundation to build apps on (No breaking changes)
• Provides a maintenance window where critical bug fixes and security fixes
are only permitted commits

9. N | SOLID - ENTERPRISE RUNTIME
• Enables deep performance insights (one click flame graphs)
• CLI enabled for easy CI/CD integration and automatic control
• Advanced console for analyzing your entire Node.js infrastructure
• Alerting through threshold monitoring

10. N | SOLID OVERVIEW

11. N | SOLID PERFORMANCE FLAME GRAPH

12. CONTAINERIZATION
• Boxes up your application and all it’s dependencies
• Provides layer of abstraction from server
• Provides isolation from other applications
• Images can be checked for vulnerabilities

13. QUAY.IO

14. COREOS/CLAIR

15. AQUA PEEKR

16. SECURING YOUR DEPENDENCIES

17. WHITELISTING / BLACKLISTING MODULES
• Blacklisting: Allow use of any public module except the ones on the list
• Whitelisting: Allow use of only the public modules on the list
• Great for meeting audit and legal obligations
• Requires a private registry (NPM Enterprise, Sinopia, etc)

18. NODE SECURITY PROJECT
• Keeps a database of all known node module vulnerabilities
• Offers a CLI tool for easy CI/CD integration
• Maintained by the community and the best Node security experts
in the industry (Adam Baldwin)

19. NPM SHRINKWRAP & SHRINKPACK
• Prevent dependency regression (unwanted dependency updates)
• Localize tarballs, no need to call to NPM each time you need the
module, this greatly speeds up builds as well

20. SHRINKPACK

21. SECURING YOUR APPLICATIONS

22. AUTHENTICATION
• Authentication: verify identity of user/client
• Should support JWT header and Basic Auth
• JWT: JSON Web Tokens are an open, industry standard RFC 7519
method for representing claims securely between two parties

23. JWT.IO

24. AUTH.IO/BLOG

25. AUTHORIZATION
• Authorization: verify permission of action by user/client
• Uses “Scopes” to define permissions
• “Roles” define a group of “Scopes”
• “Scopes” are set on endpoints for fine-grained control

26. DATA VALIDATION
• Prevents dirty data from entering your system
• Allows you to define schemas that your documentation engines can
read
• Provides in code documentation on valid endpoint parameters

27. SWAGGER DOCS FROM JOI SCHEMAS

28. HTTPS ALL THE THINGS
• Encrypts data sent over the internet
• Prevents packet sniffing and man in the middle attacks
• Generally terminated at CDN layer (AWS Cloudfront, Cloudflare, Fastly, etc)
• HTTPS internally provides better security but adds latency to requests

29. ENCRYPTING DATA
• You should ALWAYS encrypt sensitive information (passwords,
SSNs, credit card numbers, etc)
• Do some research on encryption best practices
• Make sure your encryption keys are secret

30. Q&A

31. • Enterprise Node.js - Code Quality
https://www.crowdcast.io/e/enterprise-node-1
• Enterprise Node.js - Code Discovery
https://www.crowdcast.io/e/enterprise-node-2
• Enterprise Node.js - Securing Your Environment
https://www.crowdcast.io/e/enterprise-node-3
• Enterprise Node.js - Deploying with Docker
https://www.crowdcast.io/e/enterprise-node-4
31
ENTERPRISE NODE.JS

32. JavaScript is replacing Java, Ruby, and .NET as the technology of choice for
companies that want to build enterprise software faster, and with fewer
resources. Learn about enterprise JavaScript applications at every level of the
stack. As well as how to secure, integrate, test, store, monitor, and deploy
them.
O’REILLY SOFTWARE ARCHITECTURE
CONFERENCE
Architecting For Enterprise in Node.js