SlideShare une entreprise Scribd logo

NodeJS security - still unsafe at most speeds - v1.0

Dinis Cruz
Dinis Cruz

Overview of NodeJS security with a list of what is good and bad about it

Logiciels
1  sur  49
Télécharger pour lire hors ligne
NodeJS Security Still unsafe at most speeds London, 29th Sep 2016 @DinisCruz
Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
• @Leanpub (get for 0$ ) • http://leanpub.com/u/DinisCruz – 
 Contact
Recent Presentations (you might find interesting) http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html http://blog.diniscruz.com/2016/05/appsec-and-software-quality.html http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
AppSec and Quality
Key to AppSec - The AppSec Risk Workflow http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
When creating tests on the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html Start with Passing tests, because:
NODEJS SECURITY
• Just as good and bad as Java or .NET • We are still in the same place • Not many lessons learned • But at least we are building bigger and faster websites (with more house-power and assets) Basically….
• native JSON • super fast – V8 Engine executed some javascript code 
 faster than (equivalent) C++ • async pattern – one event loop thread – highly scalable • developer friendly – fast development – REPL (Read, Eval, Print, Loop) – enables CI and CD (easy integration with GitHub, Travis, etc…) • Other languages – ECMAScript 6 – CoffeeScript (my favourite language) – Jade (Html template engine) – Typescript What is good 1/3
• community Innovation – pure Open Source child (with strong corporate support) – equivalent io.js fork should had happened to Java and .NET – crazy innovation speed and technologies like JsDOM – NodeJS Security Project • ssl is easy • enterprise ready – used by massive sites with great success – amazing live monitoring and instrumentation tools (and SAAS solution) – container friendly (i.e. docker) • promotes Microservices • great test culture (TDD) • growing security maturity – null checks on file paths What is good 2/3
• WallabyJS – real time unit test execution – real time code coverage What is good 3/3
Just to be clear….
 nodeJS + CoffeeScript + wallaby
 is my most productive
 and enjoyable dev environment
 where I easily write 
 secure code with 100% code coverage
• Same old OWASP Top 10 • Have to work hard to write secure apps – not out of the box – CSRF protection for example • REST Injection – can be as bad as SQL Injection • Model Binding is alive What is bad 1/5
• It’s Javascript – not strongly typed • with crazy type conversions and equals • decimal conversion problems – ability to overwrite (via prototypes) other API’s methods – interpreted code (strings can become code) • Eval, file save or ‘dynamic requires’ can lead to RCE • Strings everywhere (we have to ‘ban strings’) • Pattern: Proxy to internal Systems (with no data validation checks for more data) What is bad 2/5
• NPM – just as bad and crazy as Maven, NuGet, CocoaPods – very little security checks performed in new modules • few security eyeballs • dependency checks via https://nodesecurity.io/ via nsp – just look at what is inside some npm packages • See I Peeked Into My Node_Modules Directory And You Won’t Believe What Happened Next https://medium.com/friendship- dot-js/i-peeked-into-my-node-modules-directory-and-you-wont- believe-what-happened-next-b89f63d21558 What is bad 3/5
• Unhanded errors will crash server (can be a good thing) • Server side HTML and Javascript generation – source of tons of XSS • Secure configuration is hard • Weak code visualisation for – Attack surface – AST – Code Paths • Limited support for sandboxing code and CAS (Code Access Security) What is bad 4/5
• Hard to do SAST (Static Analysis) • NoSQL databases vulnerable to Injection attacks • Express support for ..%2f in url segments • … I’m sure there are many more … What is bad 5/5
OWASP AND NODEJS
• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards OWASP Top 10 (for 2013) is all there
OWASP Juice Shop Tool Project
OWASP NodeGoat Project
NodeJS Security Book https://secureyournodejs.com
KNOW THE RISK OF YOUR APPLICATION
• You need to have them mapped and accept the risk • Here are the risks currently accepted for the OWASP/Maturity-Models project (NodeJS app)
 
 
 – https://github.com/OWASP/Maturity-Models View security issues as features
…using GitHub Labels to create Risk Workflow
CASE STUDY: WHEN I CREATED A VULNERABILITY
• Here is the code I wrote (at the Data Layer)
 
 
 
 
 • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
Feature request: Allow data editing on UI
Regression test that passes on issue
Fix for Path transversal
Regression test
LET’S SEE HOW IT LOOKED IN THE CODE
…before the vuln is created
…when the vuln is created
… adding comments
…after issues are created
…improving comments
…updating issues after 1st fix
… after final fix
… more issues where found later
Thanks, any questions @diniscruz dinis.cruz@owasp.org

Recommandé

Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Atlassian
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 

Recommandé

Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Atlassian
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Owasp glue
Owasp glueOwasp glue
Owasp glueSoluto
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneySonatype
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easyDinis Cruz
 

Contenu connexe

Tendances

SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Owasp glue
Owasp glueOwasp glue
Owasp glueSoluto
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneySonatype
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 

Tendances (20)

SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 

En vedette

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easyDinis Cruz
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
NodeMN: Building AI into your Node.js apps
NodeMN: Building AI into your Node.js appsNodeMN: Building AI into your Node.js apps
NodeMN: Building AI into your Node.js appsDavid Washington
 
Web Development with Node.js
Web Development with Node.jsWeb Development with Node.js
Web Development with Node.jsAndrew Lively
 
GPG Signing Git Commits
GPG Signing Git CommitsGPG Signing Git Commits
GPG Signing Git CommitsDinis Cruz
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Microservices and Seneca at RomaJS group
Microservices and Seneca at RomaJS groupMicroservices and Seneca at RomaJS group
Microservices and Seneca at RomaJS groupLuca Lanziani
 
The Seneca Pattern at EngineYard Distill 2013 Conference
The Seneca Pattern at EngineYard Distill 2013 ConferenceThe Seneca Pattern at EngineYard Distill 2013 Conference
The Seneca Pattern at EngineYard Distill 2013 ConferenceRichard Rodger
 
Node Interactive : 7 years, 7 design patterns, will node continue to outshine
Node Interactive : 7 years, 7 design patterns, will node continue to outshineNode Interactive : 7 years, 7 design patterns, will node continue to outshine
Node Interactive : 7 years, 7 design patterns, will node continue to outshineShubhra Kar
 
Introducing the Seneca MVP framework for Node.js
Introducing the Seneca MVP framework for Node.jsIntroducing the Seneca MVP framework for Node.js
Introducing the Seneca MVP framework for Node.jsRichard Rodger
 
Writing Test Cases with PHPUnit
Writing Test Cases with PHPUnitWriting Test Cases with PHPUnit
Writing Test Cases with PHPUnitShouvik Chatterjee
 
NodeJS Microservices, Built it Now, Scale it Later!
NodeJS Microservices, Built it Now, Scale it Later!NodeJS Microservices, Built it Now, Scale it Later!
NodeJS Microservices, Built it Now, Scale it Later!Lalit Shandilya
 

En vedette (20)

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
Nodejs in Production
Nodejs in ProductionNodejs in Production
Nodejs in Production
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Building Web Apps & APIs With Node JS
Building Web Apps & APIs With Node JSBuilding Web Apps & APIs With Node JS
Building Web Apps & APIs With Node JS
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
NodeMN: Building AI into your Node.js apps
NodeMN: Building AI into your Node.js appsNodeMN: Building AI into your Node.js apps
NodeMN: Building AI into your Node.js apps
 
Web Development with Node.js
Web Development with Node.jsWeb Development with Node.js
Web Development with Node.js
 
GPG Signing Git Commits
GPG Signing Git CommitsGPG Signing Git Commits
GPG Signing Git Commits
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 
Microservices and Seneca at RomaJS group
Microservices and Seneca at RomaJS groupMicroservices and Seneca at RomaJS group
Microservices and Seneca at RomaJS group
 
The Seneca Pattern at EngineYard Distill 2013 Conference
The Seneca Pattern at EngineYard Distill 2013 ConferenceThe Seneca Pattern at EngineYard Distill 2013 Conference
The Seneca Pattern at EngineYard Distill 2013 Conference
 
Node Interactive : 7 years, 7 design patterns, will node continue to outshine
Node Interactive : 7 years, 7 design patterns, will node continue to outshineNode Interactive : 7 years, 7 design patterns, will node continue to outshine
Node Interactive : 7 years, 7 design patterns, will node continue to outshine
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Introducing the Seneca MVP framework for Node.js
Introducing the Seneca MVP framework for Node.jsIntroducing the Seneca MVP framework for Node.js
Introducing the Seneca MVP framework for Node.js
 
Writing Test Cases with PHPUnit
Writing Test Cases with PHPUnitWriting Test Cases with PHPUnit
Writing Test Cases with PHPUnit
 
NodeJS Microservices, Built it Now, Scale it Later!
NodeJS Microservices, Built it Now, Scale it Later!NodeJS Microservices, Built it Now, Scale it Later!
NodeJS Microservices, Built it Now, Scale it Later!
 

Similaire à NodeJS security - still unsafe at most speeds - v1.0

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Get your head in the clouds! - Swansea Con 2016
Get your head in the clouds! - Swansea Con 2016Get your head in the clouds! - Swansea Con 2016
Get your head in the clouds! - Swansea Con 2016Christopher Cundill
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringMichael Man
 
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...DataArt
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
ContainerDayVietnam2016: Docker at scale with Mesos
ContainerDayVietnam2016: Docker at scale with MesosContainerDayVietnam2016: Docker at scale with Mesos
ContainerDayVietnam2016: Docker at scale with MesosDocker-Hanoi
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 

Similaire à NodeJS security - still unsafe at most speeds - v1.0 (20)

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Get your head in the clouds! - Swansea Con 2016
Get your head in the clouds! - Swansea Con 2016Get your head in the clouds! - Swansea Con 2016
Get your head in the clouds! - Swansea Con 2016
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...
IT Talk «Microservices & Serverless Architectures», Alexander Chichenin (Solu...
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
Meanstack overview
Meanstack overviewMeanstack overview
Meanstack overview
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
ContainerDayVietnam2016: Docker at scale with Mesos
ContainerDayVietnam2016: Docker at scale with MesosContainerDayVietnam2016: Docker at scale with Mesos
ContainerDayVietnam2016: Docker at scale with Mesos
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 

Plus de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Plus de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Dernier

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 

Dernier (20)

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 

NodeJS security - still unsafe at most speeds - v1.0

  • 1. NodeJS Security Still unsafe at most speeds London, 29th Sep 2016 @DinisCruz
  • 2. Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
  • 3. • @Leanpub (get for 0$ ) • http://leanpub.com/u/DinisCruz – 
 Contact
  • 4. Recent Presentations (you might find interesting) http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html http://blog.diniscruz.com/2016/05/appsec-and-software-quality.html http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
  • 6. Key to AppSec - The AppSec Risk Workflow http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
  • 7. When creating tests on the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html Start with Passing tests, because:
  • 9. • Just as good and bad as Java or .NET • We are still in the same place • Not many lessons learned • But at least we are building bigger and faster websites (with more house-power and assets) Basically….
  • 10. • native JSON • super fast – V8 Engine executed some javascript code 
 faster than (equivalent) C++ • async pattern – one event loop thread – highly scalable • developer friendly – fast development – REPL (Read, Eval, Print, Loop) – enables CI and CD (easy integration with GitHub, Travis, etc…) • Other languages – ECMAScript 6 – CoffeeScript (my favourite language) – Jade (Html template engine) – Typescript What is good 1/3
  • 11. • community Innovation – pure Open Source child (with strong corporate support) – equivalent io.js fork should had happened to Java and .NET – crazy innovation speed and technologies like JsDOM – NodeJS Security Project • ssl is easy • enterprise ready – used by massive sites with great success – amazing live monitoring and instrumentation tools (and SAAS solution) – container friendly (i.e. docker) • promotes Microservices • great test culture (TDD) • growing security maturity – null checks on file paths What is good 2/3
  • 12. • WallabyJS – real time unit test execution – real time code coverage What is good 3/3
  • 13. Just to be clear….
 nodeJS + CoffeeScript + wallaby
 is my most productive
 and enjoyable dev environment
 where I easily write 
 secure code with 100% code coverage
  • 14. • Same old OWASP Top 10 • Have to work hard to write secure apps – not out of the box – CSRF protection for example • REST Injection – can be as bad as SQL Injection • Model Binding is alive What is bad 1/5
  • 15. • It’s Javascript – not strongly typed • with crazy type conversions and equals • decimal conversion problems – ability to overwrite (via prototypes) other API’s methods – interpreted code (strings can become code) • Eval, file save or ‘dynamic requires’ can lead to RCE • Strings everywhere (we have to ‘ban strings’) • Pattern: Proxy to internal Systems (with no data validation checks for more data) What is bad 2/5
  • 16. • NPM – just as bad and crazy as Maven, NuGet, CocoaPods – very little security checks performed in new modules • few security eyeballs • dependency checks via https://nodesecurity.io/ via nsp – just look at what is inside some npm packages • See I Peeked Into My Node_Modules Directory And You Won’t Believe What Happened Next https://medium.com/friendship- dot-js/i-peeked-into-my-node-modules-directory-and-you-wont- believe-what-happened-next-b89f63d21558 What is bad 3/5
  • 17. • Unhanded errors will crash server (can be a good thing) • Server side HTML and Javascript generation – source of tons of XSS • Secure configuration is hard • Weak code visualisation for – Attack surface – AST – Code Paths • Limited support for sandboxing code and CAS (Code Access Security) What is bad 4/5
  • 18. • Hard to do SAST (Static Analysis) • NoSQL databases vulnerable to Injection attacks • Express support for ..%2f in url segments • … I’m sure there are many more … What is bad 5/5
  • 20. • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards OWASP Top 10 (for 2013) is all there
  • 21. OWASP Juice Shop Tool Project
  • 24. KNOW THE RISK OF YOUR APPLICATION
  • 25. • You need to have them mapped and accept the risk • Here are the risks currently accepted for the OWASP/Maturity-Models project (NodeJS app)
 
 
 – https://github.com/OWASP/Maturity-Models View security issues as features
  • 26. …using GitHub Labels to create Risk Workflow
  • 27.
  • 28.
  • 29.
  • 30. CASE STUDY: WHEN I CREATED A VULNERABILITY
  • 31. • Here is the code I wrote (at the Data Layer)
 
 
 
 
 • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
  • 32. Feature request: Allow data editing on UI
  • 33. Regression test that passes on issue
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. Fix for Path transversal
  • 40. LET’S SEE HOW IT LOOKED IN THE CODE
  • 41. …before the vuln is created
  • 42. …when the vuln is created
  • 48. … more issues where found later