SlideShare a Scribd company logo

Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk

PROIDEA
PROIDEA

After few years of node.js in operation we know it's very fast. We all heard stories about backend services running with the help of node.js and V8 core. But what we have learned about the security of such applications? What are the major threats here? I'll explain how to create node.js apps in a secure and reliable way. Also - I'll show how those could be scaled easily with (or without) help of Linux containers (Docker based) or jail - systems like Selinux Sandbox or libvirt sandbox. Maciej Lasyk - I've been working in IT Operations for the last 14 years. I've seen how infrastructures raised and failed, how great minds worked on scalability and kept the high pace of their platforms. I've been scaling and securing webapps since many years; within Ganymede company, now with Lumesse and Fedora Project. I'm Open Source contributor, enthusiast and evangelist. I also support security projects like OWASP. You can catch me on Twitter @docent_net and also see my work in github @docent-net and my personal blog.

Presentations & Public Speaking
1 of 73
Download to read offline
Maciej Lasyk AtmosphereConf 2014 Warsaw, 2014-05-19 scaling & securing node.js apps
$ whoami Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - not only sysadmin ;) - 14+ years of exp software dev / sysop - ops lead - contributing to Fedora Project (and couple more)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So what do you think about JS? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So what do you think about JS? - JS is for children! - JS is slow! - JS is not scalable! - JS is insecure! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js: history - 2008: Google V8 release - 2009: Ryan Dahl & node.js - 2011: node.js release - later on – Joyent till today - and ^liftsecurity / nodesecurity.io Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 (http://www.phloxblog.in)
node.js: developing ur code Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 raw node.js coding srsly? (core modules only)
node.js: developing ur code maybe some frameworks? - webserver: express - client-server sync: backbone.js - push: socket.io - templates: swig - i18n: babelfish - client – side: jquery - or... - kraken.js does the all (almost) Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js: developing ur code Biggest win here? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js: developing ur code Biggest win here? One Language to Rule them all! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 eval() like fncs takes string argument and evalute those as source code
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 eval() like fncs takes string argument and evalute those as source code srsly – who does that?
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 not only evals: setInterval(code,2) setTimeout(code,2) str = new Function(code) Content-Security-Policy knows about those but we're talking about server side...
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Global nameSpace Pollution - node.js is single threaded - all variable values are common - one could thrtically change bhv of others reqs - watch out for globals then!
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var auth = false; app.get('/auth', function(req, res) { if(legit) { auth = true; res.send("success"); }); app.get('/payments-db', function(req, res) { if (auth) res.send("legit to see all payments data"); else res.send("not logged in"); }) app.listen(8080);
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 So now imagine.. global namespace pollution + evals & co
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 So now imagine.. global namespace pollution + evals & co
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 object properties: - writable: RO/RW - enumerable: no loops enumeration - configurable: deletion prohibited - all default set to True so watch out
security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var obj = {}; obj.prop = "LOL"; // OR: Object.defineProperty(obj, "prop", { writable: true, enumerable: true, configurable: true, value: "LOL" })
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 strict mode: - let's throw all errors! - declare variables! - global namespaces help
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; function do_smt() { do_smt.caller; // no way :) do_smt.arguments; // no way :) }
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; eval("var smt = 123"); console.log(smt); // sorry – ReferenceError
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; eval("var smt = 123"); console.log(smt); // sorry – ReferenceError But watch out: "use strict"; var smt = 0; eval("smt = 123"); console.log(smt); // outputs “123” properly
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 strict mode: - evals & co are not that insecure now - no access to caller and args props - enable globally or for some scope - what about strict mode in 3rd party mods?
security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Static code analysis - If not doing it already – just do - Commit hooks in (D)VCSes (or CI/CD) - JSHint (node-jshint) / JSLint (nodelint) - Create policy for static code analysis - Update & check this policy regularly
node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – ? hits - http://osvdb.org – ? hits - http://1337day.com, http://www.exploitdb.com – ? hit - http://nodesecurity.io/advisories – ? hits
node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits
node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits Such security big?
node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits Such security big? not exactly
node.js – what's wrong than? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 node.js security is a blank page http://www.slideshare.net/ASF-WS/asfws-2012-nodejs-security-old-vulnerabilities-in-new-dresses-par-sven-vetsch
node.js – exceptions / callbacks Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 callbacks Error object – remember to handle those var fs = require("fs"); fs.readFile("/some/file", "utf8", function (err, contents) { // err will be null if no error occured // ... otherwise there will be info about error }); forget about handling and die debugging
node.js – eventemitter Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 EventEmitter: emitting events 4 async actions var http = require("http"); http.get("http://nodejs.org/", function (res) { res.on("data", function (chunk) { do_something_with_chunk; }); res.on("error", function (err) { // listener handling error }); }); Attach listeners to errors events or welcome unhandled exception!
node.js – uncaught exceptions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - by default node.js will print stack trace and terminate thread - EventEmitter / process / uncaughtException // it looks like this by default: process.on("uncaughtException", function (err) { console.error(err); console.trace(); process.exit(); });
node.js – uncaught exceptions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - by default node.js will print stack trace and terminate thread - EventEmitter / process / uncaughtException // it looks like this by default: process.on("uncaughtException", function (err) { console.error(err); console.trace(); //process.exit(); }); So do you really want to comment out the 'process.exit()' line?
node.js – domains - error handling mechanism - group I/O operations - when err event -> domain is notified not process - context clarity Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – domains Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Using Express take look at that: https://github.com/brianc/node-domain-middleware Assigning each Express request to a separate domain?
node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - npm install (-g) - who creates modules? - who verifies those? - how to update? - semantic versioning in package.json - "connect":"~1.8.7" -> 1.8.7 - 1.9
node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 --ignore-scripts stop preinstall/prepublish scripts - mods auditing: https://nodesecurity.io/
node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 The scale of npm modules
node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Comparison to other langs (mods/day):
node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Remember: - use strict? - static analysis? - does include some test suite? - what is the dependency tree? - private repository: Kappa - retire.js – check mods with cli
node.js – express Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Express – web dev framework Built on top of connect
node.js – express – basic auth Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'), app = express(); app.use(express.basicAuth("user", "pwd")); app.get("/", function (req, res) { res.send('Hello World'); }); app.listen(8080); Plain text and simple auth issues
node.js – express – SSL auth Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'), routes = require('./routes'), fs = require('fs') var opts = { key: fs.readFileSync('ssl/server/keys/server.key'), cert: fs.readFileSync('ssl/server/certificates/server.crt'), ca: fs.readFileSync('ssl/ca/ca.crt'), crl: fs.readFileSync('ssl/ca/ca.crl'), requestCert: true, rejectUnauthorized: true passphrase: "pwd" // <<<< really here? }; var app = module.exports = express.createServer(opts); app.configure(function(){ app.set('views', __dirname + '/views'); ... }); app.get('/', routes.index); app.listen(8443);
node.js – express – passport.js Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - provides API for authentication and authorization - authentication: - LocalStrategy - OpenIDStrategy - OAuth / FacebookStrategy
node.js – express – authorization Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var users = [ { id: 1, name: "user1", role: "admin" }, { id: 2, name: "user2", role: "common" }, ]; function loadUser(req, res, next) { req.userData = users[req.params.user]; return next(); } function requireRole(role) { return function (req, res, next) { if (req.user.role === role) { return next(); } else { return next(new Error("Unauthorized")); } };}
node.js – express – authorization Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 app.get("/users/:user", loadUser, function (req, res) { res.send(req.user.name); }); app.del("/users/:user", requireRole("admin"), loadUser, function (req,res) { res.send("User deleted"); });
node.js – express – logging Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 OWASP will tell you what should be logged :) https://www.owasp.org/index.php/Logging_Cheat_Sheet - authentication & authorisation - session management - errors & weirdo events - events (startups, shutdowns, slowdowns etc) - high risk functionalities (payments, privileges, admins)
node.js – express – logging Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Try Winston module (Github -> flatiron/winston) - logging to console - logging to file - sending logs over HTTP - CouchDB, Redis, MongoDB, Riak etc
node.js – express – sessions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'); var app = express(); var RedisStore = require('connect-redis')(express); app.use(express.cookieParser()); app.use(express.session({ store: new RedisStore({ host: '127.0.0.2', port: 6379, db: 3, pass: 'pwd' }), secret: 'this-is-very-secret' })); app.get('/somewhere', function(req, res) { res.send('In the middle of nowhere'); }); app.listen(process.env.PORT || 8080);
node.js – common threats - CSRF - input validation - XSS - DoS - ReDoS - HPP - request size Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – monitoring anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - is app functional? :) - is app overloaded? - app should provide monitoring interface - how many errors caught? - are forks alive and OK?
node.js – sandboxing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – sandboxing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Such security..Such security.. Very fortress!!1Very fortress!!1 WOW :)WOW :)
node.js – sandboxing SElinux sandbox: - legit r/w from stdin/out + only define FDs - no network access - no access to any other processes files - cgroups friendly :) - lightweight! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – sandboxing libvirtd sandbox: - use LXC, Qemu or KVM - provides high level API - don't need to know virt internals - integrates with systemd inside the sandbox - virt-sandbox -c lxc:/// /bin/sh Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – sandboxing Docker: - very easy learning curve – just run & go - it just works - big community - growing rapidly - almost stable ;) Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js – one more thing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Just...
node.js – one more thing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Just... Don't run as `root`!!!
node.js – tracing execution Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - SmartOS / Joyent: debugging - Bunyan / Dtrace - strace of course...
node.js – testing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - maybe some interface for white-box pentests? - unit-testing 4 the sake! (Mocha, supertest, should.js) - OWASP Zed Attack Proxy
scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org
scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org
scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org - threads-a-gogo module?
scaling node.js – containers Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
scaling node.js – resources Just use cgroups Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js performance - c10k problem! - paypal – release the Kraken & stories Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So what do you think about JS? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - JS is for children? wrong, children aren't async ;) - JS is slow? wrong – V8! - JS is not scalable? wrong – we'll JS the world! - JS is insecure? wrong – people commit mistakes!
Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security Infosec & meet.js meetups @krakow meetup.com
Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security Docker workshops with node.js! #dockerkrk #nodekrk
http://maciek.lasyk.info/sysop maciek@lasyk.info @docent-net Any Qs? Thank you :)

Recommended

Node.js security
Node.js securityNode.js security
Node.js securityMaciej Lasyk
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Curiosity Challenge Book 2014 - Cambridge Science Festival
Curiosity Challenge Book 2014 - Cambridge Science FestivalCuriosity Challenge Book 2014 - Cambridge Science Festival
Curiosity Challenge Book 2014 - Cambridge Science FestivalCSciFest
 
Scaling and securing node.js apps
Scaling and securing node.js appsScaling and securing node.js apps
Scaling and securing node.js appsMaciej Lasyk
 
Functional Scala 2022 - scalajs Alexis.pdf
Functional Scala 2022 - scalajs Alexis.pdfFunctional Scala 2022 - scalajs Alexis.pdf
Functional Scala 2022 - scalajs Alexis.pdfssusercd195b
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
Introduction to Grunt.js on Taiwan JavaScript Conference
Introduction to Grunt.js on Taiwan JavaScript ConferenceIntroduction to Grunt.js on Taiwan JavaScript Conference
Introduction to Grunt.js on Taiwan JavaScript ConferenceBo-Yi Wu
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 

Recommended

Node.js security
Node.js securityNode.js security
Node.js securityMaciej Lasyk
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Curiosity Challenge Book 2014 - Cambridge Science Festival
Curiosity Challenge Book 2014 - Cambridge Science FestivalCuriosity Challenge Book 2014 - Cambridge Science Festival
Curiosity Challenge Book 2014 - Cambridge Science FestivalCSciFest
 
Scaling and securing node.js apps
Scaling and securing node.js appsScaling and securing node.js apps
Scaling and securing node.js appsMaciej Lasyk
 
Functional Scala 2022 - scalajs Alexis.pdf
Functional Scala 2022 - scalajs Alexis.pdfFunctional Scala 2022 - scalajs Alexis.pdf
Functional Scala 2022 - scalajs Alexis.pdfssusercd195b
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
Introduction to Grunt.js on Taiwan JavaScript Conference
Introduction to Grunt.js on Taiwan JavaScript ConferenceIntroduction to Grunt.js on Taiwan JavaScript Conference
Introduction to Grunt.js on Taiwan JavaScript ConferenceBo-Yi Wu
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
The Cloud Native Stack
The Cloud Native StackThe Cloud Native Stack
The Cloud Native StackQAware GmbH
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Brad Enterprise Solution Architect
Brad Enterprise Solution ArchitectBrad Enterprise Solution Architect
Brad Enterprise Solution ArchitectBrad Travis
 
Rolling Up Your Sleeves
Rolling Up Your SleevesRolling Up Your Sleeves
Rolling Up Your Sleevesdjjackj
 
Node JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web AppNode JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web AppEdureka!
 
"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran Tal"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak
 
Top 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | EdurekaTop 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | EdurekaEdureka!
 
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015AboutYouGmbH
 
Modern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and MarkupModern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and MarkupLadislav Prskavec
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Java Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real worldJava Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real worldКирилл Толкачёв
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introductionsanskriti agarwal
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel SolowServerless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel SolowAWSCOMSUM
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankDavid Amend
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBhargav Anadkat
 
Why Architecture in Web Development matters
Why Architecture in Web Development mattersWhy Architecture in Web Development matters
Why Architecture in Web Development mattersLars Jankowfsky
 
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Liran Tal
 
Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018Liran Tal
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 

More Related Content

Similar to Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk

The Cloud Native Stack
The Cloud Native StackThe Cloud Native Stack
The Cloud Native StackQAware GmbH
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Brad Enterprise Solution Architect
Brad Enterprise Solution ArchitectBrad Enterprise Solution Architect
Brad Enterprise Solution ArchitectBrad Travis
 
Rolling Up Your Sleeves
Rolling Up Your SleevesRolling Up Your Sleeves
Rolling Up Your Sleevesdjjackj
 
Node JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web AppNode JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web AppEdureka!
 
"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran Tal"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak
 
Top 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | EdurekaTop 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | EdurekaEdureka!
 
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015AboutYouGmbH
 
Modern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and MarkupModern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and MarkupLadislav Prskavec
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Java Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real worldJava Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real worldКирилл Толкачёв
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel SolowServerless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel SolowAWSCOMSUM
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankDavid Amend
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBhargav Anadkat
 
Why Architecture in Web Development matters
Why Architecture in Web Development mattersWhy Architecture in Web Development matters
Why Architecture in Web Development mattersLars Jankowfsky
 
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Liran Tal
 
Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018Liran Tal
 

Similar to Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk (20)

The Cloud Native Stack
The Cloud Native StackThe Cloud Native Stack
The Cloud Native Stack
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Brad Enterprise Solution Architect
Brad Enterprise Solution ArchitectBrad Enterprise Solution Architect
Brad Enterprise Solution Architect
 
Rolling Up Your Sleeves
Rolling Up Your SleevesRolling Up Your Sleeves
Rolling Up Your Sleeves
 
Node JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web AppNode JS Express: Steps to Create Restful Web App
Node JS Express: Steps to Create Restful Web App
 
"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran Tal"Black Clouds and Silver Linings in Node.js Security" Liran Tal
"Black Clouds and Silver Linings in Node.js Security" Liran Tal
 
Top 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | EdurekaTop 50 Node.js Interview Questions and Answers | Edureka
Top 50 Node.js Interview Questions and Answers | Edureka
 
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
Rolando Santamaría Masó - Simplicity meets scalability - code.talks 2015
 
Modern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and MarkupModern Web Architecture<br>based on JS, API and Markup
Modern Web Architecture<br>based on JS, API and Markup
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Java Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real worldJava Day Minsk 2016 Keynote about Microservices in real world
Java Day Minsk 2016 Keynote about Microservices in real world
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introduction
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel SolowServerless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bank
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
 
Why Architecture in Web Development matters
Why Architecture in Web Development mattersWhy Architecture in Web Development matters
Why Architecture in Web Development matters
 
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
 
Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018Node.js security - JS Day Italy 2018
Node.js security - JS Day Italy 2018
 

Recently uploaded

Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 

Recently uploaded (20)

Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 

Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk

  • 1. Maciej Lasyk AtmosphereConf 2014 Warsaw, 2014-05-19 scaling & securing node.js apps
  • 2. $ whoami Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - not only sysadmin ;) - 14+ years of exp software dev / sysop - ops lead - contributing to Fedora Project (and couple more)
  • 3. Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 4. So what do you think about JS? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 5. So what do you think about JS? - JS is for children! - JS is slow! - JS is not scalable! - JS is insecure! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 6. node.js: history - 2008: Google V8 release - 2009: Ryan Dahl & node.js - 2011: node.js release - later on – Joyent till today - and ^liftsecurity / nodesecurity.io Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 7. Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 8. Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 (http://www.phloxblog.in)
  • 9. node.js: developing ur code Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 raw node.js coding srsly? (core modules only)
  • 10. node.js: developing ur code maybe some frameworks? - webserver: express - client-server sync: backbone.js - push: socket.io - templates: swig - i18n: babelfish - client – side: jquery - or... - kraken.js does the all (almost) Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 11. node.js: developing ur code Biggest win here? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 12. node.js: developing ur code Biggest win here? One Language to Rule them all! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 13. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 eval() like fncs takes string argument and evalute those as source code
  • 14. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 eval() like fncs takes string argument and evalute those as source code srsly – who does that?
  • 15. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 not only evals: setInterval(code,2) setTimeout(code,2) str = new Function(code) Content-Security-Policy knows about those but we're talking about server side...
  • 16. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Global nameSpace Pollution - node.js is single threaded - all variable values are common - one could thrtically change bhv of others reqs - watch out for globals then!
  • 17. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var auth = false; app.get('/auth', function(req, res) { if(legit) { auth = true; res.send("success"); }); app.get('/payments-db', function(req, res) { if (auth) res.send("legit to see all payments data"); else res.send("not logged in"); }) app.listen(8080);
  • 18. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 So now imagine.. global namespace pollution + evals & co
  • 19. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 So now imagine.. global namespace pollution + evals & co
  • 20. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 object properties: - writable: RO/RW - enumerable: no loops enumeration - configurable: deletion prohibited - all default set to True so watch out
  • 21. security: JS issues Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var obj = {}; obj.prop = "LOL"; // OR: Object.defineProperty(obj, "prop", { writable: true, enumerable: true, configurable: true, value: "LOL" })
  • 22. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 strict mode: - let's throw all errors! - declare variables! - global namespaces help
  • 23. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; function do_smt() { do_smt.caller; // no way :) do_smt.arguments; // no way :) }
  • 24. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; eval("var smt = 123"); console.log(smt); // sorry – ReferenceError
  • 25. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 "use strict"; eval("var smt = 123"); console.log(smt); // sorry – ReferenceError But watch out: "use strict"; var smt = 0; eval("smt = 123"); console.log(smt); // outputs “123” properly
  • 26. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 strict mode: - evals & co are not that insecure now - no access to caller and args props - enable globally or for some scope - what about strict mode in 3rd party mods?
  • 27. security: JS issues - prevention Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Static code analysis - If not doing it already – just do - Commit hooks in (D)VCSes (or CI/CD) - JSHint (node-jshint) / JSLint (nodelint) - Create policy for static code analysis - Update & check this policy regularly
  • 28. node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – ? hits - http://osvdb.org – ? hits - http://1337day.com, http://www.exploitdb.com – ? hit - http://nodesecurity.io/advisories – ? hits
  • 29. node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits
  • 30. node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits Such security big?
  • 31. node.js – exploits anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - http://seclists.org/bugtraq – 0 hits - http://osvdb.org – 2 hits - http://1337day.com, http://www.exploitdb.com – 1 hit - http://nodesecurity.io/advisories – 4 hits Such security big? not exactly
  • 32. node.js – what's wrong than? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 node.js security is a blank page http://www.slideshare.net/ASF-WS/asfws-2012-nodejs-security-old-vulnerabilities-in-new-dresses-par-sven-vetsch
  • 33. node.js – exceptions / callbacks Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 callbacks Error object – remember to handle those var fs = require("fs"); fs.readFile("/some/file", "utf8", function (err, contents) { // err will be null if no error occured // ... otherwise there will be info about error }); forget about handling and die debugging
  • 34. node.js – eventemitter Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 EventEmitter: emitting events 4 async actions var http = require("http"); http.get("http://nodejs.org/", function (res) { res.on("data", function (chunk) { do_something_with_chunk; }); res.on("error", function (err) { // listener handling error }); }); Attach listeners to errors events or welcome unhandled exception!
  • 35. node.js – uncaught exceptions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - by default node.js will print stack trace and terminate thread - EventEmitter / process / uncaughtException // it looks like this by default: process.on("uncaughtException", function (err) { console.error(err); console.trace(); process.exit(); });
  • 36. node.js – uncaught exceptions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - by default node.js will print stack trace and terminate thread - EventEmitter / process / uncaughtException // it looks like this by default: process.on("uncaughtException", function (err) { console.error(err); console.trace(); //process.exit(); }); So do you really want to comment out the 'process.exit()' line?
  • 37. node.js – domains - error handling mechanism - group I/O operations - when err event -> domain is notified not process - context clarity Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 38. node.js – domains Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Using Express take look at that: https://github.com/brianc/node-domain-middleware Assigning each Express request to a separate domain?
  • 39. node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - npm install (-g) - who creates modules? - who verifies those? - how to update? - semantic versioning in package.json - "connect":"~1.8.7" -> 1.8.7 - 1.9
  • 40. node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 --ignore-scripts stop preinstall/prepublish scripts - mods auditing: https://nodesecurity.io/
  • 41. node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 The scale of npm modules
  • 42. node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Comparison to other langs (mods/day):
  • 43. node.js – npm modules Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Remember: - use strict? - static analysis? - does include some test suite? - what is the dependency tree? - private repository: Kappa - retire.js – check mods with cli
  • 44. node.js – express Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Express – web dev framework Built on top of connect
  • 45. node.js – express – basic auth Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'), app = express(); app.use(express.basicAuth("user", "pwd")); app.get("/", function (req, res) { res.send('Hello World'); }); app.listen(8080); Plain text and simple auth issues
  • 46. node.js – express – SSL auth Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'), routes = require('./routes'), fs = require('fs') var opts = { key: fs.readFileSync('ssl/server/keys/server.key'), cert: fs.readFileSync('ssl/server/certificates/server.crt'), ca: fs.readFileSync('ssl/ca/ca.crt'), crl: fs.readFileSync('ssl/ca/ca.crl'), requestCert: true, rejectUnauthorized: true passphrase: "pwd" // <<<< really here? }; var app = module.exports = express.createServer(opts); app.configure(function(){ app.set('views', __dirname + '/views'); ... }); app.get('/', routes.index); app.listen(8443);
  • 47. node.js – express – passport.js Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - provides API for authentication and authorization - authentication: - LocalStrategy - OpenIDStrategy - OAuth / FacebookStrategy
  • 48. node.js – express – authorization Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var users = [ { id: 1, name: "user1", role: "admin" }, { id: 2, name: "user2", role: "common" }, ]; function loadUser(req, res, next) { req.userData = users[req.params.user]; return next(); } function requireRole(role) { return function (req, res, next) { if (req.user.role === role) { return next(); } else { return next(new Error("Unauthorized")); } };}
  • 49. node.js – express – authorization Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 app.get("/users/:user", loadUser, function (req, res) { res.send(req.user.name); }); app.del("/users/:user", requireRole("admin"), loadUser, function (req,res) { res.send("User deleted"); });
  • 50. node.js – express – logging Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 OWASP will tell you what should be logged :) https://www.owasp.org/index.php/Logging_Cheat_Sheet - authentication & authorisation - session management - errors & weirdo events - events (startups, shutdowns, slowdowns etc) - high risk functionalities (payments, privileges, admins)
  • 51. node.js – express – logging Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Try Winston module (Github -> flatiron/winston) - logging to console - logging to file - sending logs over HTTP - CouchDB, Redis, MongoDB, Riak etc
  • 52. node.js – express – sessions Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 var express = require('express'); var app = express(); var RedisStore = require('connect-redis')(express); app.use(express.cookieParser()); app.use(express.session({ store: new RedisStore({ host: '127.0.0.2', port: 6379, db: 3, pass: 'pwd' }), secret: 'this-is-very-secret' })); app.get('/somewhere', function(req, res) { res.send('In the middle of nowhere'); }); app.listen(process.env.PORT || 8080);
  • 53. node.js – common threats - CSRF - input validation - XSS - DoS - ReDoS - HPP - request size Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 54. node.js – monitoring anyone? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - is app functional? :) - is app overloaded? - app should provide monitoring interface - how many errors caught? - are forks alive and OK?
  • 55. node.js – sandboxing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 56. node.js – sandboxing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Such security..Such security.. Very fortress!!1Very fortress!!1 WOW :)WOW :)
  • 57. node.js – sandboxing SElinux sandbox: - legit r/w from stdin/out + only define FDs - no network access - no access to any other processes files - cgroups friendly :) - lightweight! Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 58. node.js – sandboxing libvirtd sandbox: - use LXC, Qemu or KVM - provides high level API - don't need to know virt internals - integrates with systemd inside the sandbox - virt-sandbox -c lxc:/// /bin/sh Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 59. node.js – sandboxing Docker: - very easy learning curve – just run & go - it just works - big community - growing rapidly - almost stable ;) Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 60. node.js – one more thing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Just...
  • 61. node.js – one more thing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 Just... Don't run as `root`!!!
  • 62. node.js – tracing execution Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - SmartOS / Joyent: debugging - Bunyan / Dtrace - strace of course...
  • 63. node.js – testing Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - maybe some interface for white-box pentests? - unit-testing 4 the sake! (Mocha, supertest, should.js) - OWASP Zed Attack Proxy
  • 64. scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org
  • 65. scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org
  • 66. scaling node.js – cluster module Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 http://aosabook.org - threads-a-gogo module?
  • 67. scaling node.js – containers Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 68. scaling node.js – resources Just use cgroups Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 69. node.js performance - c10k problem! - paypal – release the Kraken & stories Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
  • 70. So what do you think about JS? Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014 - JS is for children? wrong, children aren't async ;) - JS is slow? wrong – V8! - JS is not scalable? wrong – we'll JS the world! - JS is insecure? wrong – people commit mistakes!
  • 71. Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security Infosec & meet.js meetups @krakow meetup.com
  • 72. Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security Docker workshops with node.js! #dockerkrk #nodekrk