Node Day - Node.js Security in the Enterprise

•

4 j'aime•8,052 vues

Adam Baldwin

Adam Baldwin talks about Node.js security in the enterprise for Node Day 2014 hosted at PayPal

Technologie

@adam_baldwin
@liftsecurity
@nodesecurity
@evilpacket

Enterprise Security in 3 min
Protect what makes you money
Availability is security
Measure & Iterate
It's not about the vulnerability
You will screw it up anyway

What this talk is about
Being informed & Prepared
!

The node security landscape
!

It's all node's fault

Understand what the
enterprise cares about,
then do better.

The enterprise should
understand you and do
better.

nodejs-sec announcements
https://groups.google.com/forum/#!forum/nodejs-sec

Understanding the
node.js security
landscape

The Enterprise
is responsible
for what you
require()

npm shrinkwrap
POST

/validate/shrinkwrap

GET

/validate/:module_name/:version

npm shrinkwrap example
curl -X POST https://nodesecurity.io/
validate/shrinkwrap -d @npmshrinkwrap.json -H "content-type:
application/json"

retire.js
Scan a web app or node app for
use of vulnerable JavaScript
libraries and/or node modules.

http://bekk.github.io/retire.js/

What is the greatest
vulnerability that you have
in the enterprise?

Blame Node.
It's just how we do things.™

</PRESENTATION>
@adam_baldwin | @LiftSecurity

Contenu connexe

Tendances

WAF In DevOps DevOpsFusion2019Franziska Buehler

Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv

Wordpress securityMehmet Ince

Bypassing cisco’s sourcefire amp endpoint solution – full demoRajivarnan R

SSL Pinning and Bypasses: Android and iOSAnant Shrivastava

5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan

Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava

Web Application firewall-Mod securityRomansh Yadav

Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research

Ruby and Framework SecurityCreston Jamison

Quick Tips for Server SecurityAlister Loxton

Apache Struts2 CVE-2017-5638Riyaz Walikar

Dont run with scissorsMorgan Roman

Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen

Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava

opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner

Slides null puliya linux basicsAnant Shrivastava

Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı

Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak

Tendances (20)

WAF In DevOps DevOpsFusion2019

Software Supply Chain Security та компоненти з відомими вразливостями

Wordpress security

Bypassing cisco’s sourcefire amp endpoint solution – full demo

SSL Pinning and Bypasses: Android and iOS

5 Bare Minimum Things A Web Startup CTO Must Worry About

Null bhopal Sep 2016: What it Takes to Secure a Web Application

Web Application firewall-Mod security

Tools & techniques, building a dev secops culture at mozilla sba live a...

Ruby and Framework Security

Quick Tips for Server Security

Apache Struts2 CVE-2017-5638

Dont run with scissors

Emerging Trends in Cybersecurity by Amar Prusty

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017

Tale of Forgotten Disclosure and Lesson learned

opensuse conference 2015: security processes and technologies for Tumbleweed

Slides null puliya linux basics

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

Web Uygulama Güvenliği (Akademik Bilişim 2016)

En vedette

ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...Cyber Security Alliance

Security First - Adam BaldwinAdam Baldwin

Continuous SecurityAdam Baldwin

302 Content Server Security Challenges And Best Practicesphanleson

Top 10 web server security flawstobybear30

Web server security challengesMartins Chibuike Onuoha

Secure Node Code (workshop, O'Reilly Security)Guy Podjarny

Web Server Security Guidelineswebhostingguy

F-Secure E-mail and Server SecurityF-Secure Corporation

Web Server Web Site SecuritySteven Cahill

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

Continuous Security - Thunderplains 2016Adam Baldwin

Урок - 9, 27 февраля, 2016Burac Constantin

Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersTraction Conf

Três porquinhosjardiminfanciasilgueiros

Leidy carvajal actividad 1.2 mapa cLeidy Carvajal

Romeo and julietMike Smith

Tuomas_JokimakiTuomas Jokimäki

Sexy HTML with Twitter BootstrapKarthik Gaekwad

En vedette (19)

ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...

Security First - Adam Baldwin

Continuous Security

302 Content Server Security Challenges And Best Practices

Top 10 web server security flaws

Web server security challenges

Secure Node Code (workshop, O'Reilly Security)

Web Server Security Guidelines

F-Secure E-mail and Server Security

Web Server Web Site Security

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Continuous Security - Thunderplains 2016

Урок - 9, 27 февраля, 2016

Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers

Três porquinhos

Leidy carvajal actividad 1.2 mapa c

Romeo and juliet

Tuomas_Jokimaki

Sexy HTML with Twitter Bootstrap

Similaire à Node Day - Node.js Security in the Enterprise

JSConfBR - Securing Node.js App, by the community and for the community David Dias

Cloud Security Engineer Interview Questions.pdfInfosec Train

Cloud Security Engineer Interview Questions.pdfinfosec train

How to secure web applicationsMohammed A. Imran

Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174

Config Management Camp 2017 - If it moves, give it a pipelineMark Rendell

Cloud, DevOps and the New Security PractitionerAdrian Sanabria

Academy PRO: Node.js in production. lecture 4Binary Studio

Shifting security to the left with kubernetes, azure, and istioChristian Melendez

Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman

Automotive Cybersecurity: Test Like a HackerForAllSecure

Making Security Agile - Oleg GrybSeniorStoryteller

Common mistake in nodejsNguyen Tran

Agility Requires SafetyYevgeniy Brikman

3.Secure Design Principles And Processphanleson

Biggest info security mistakes security innovation inc.uNIX Jim

Total Defense Product InformationZeeshan Humayun

Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software

Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon

AppSec California 2016 - Making Security AgileOleg Gryb

Similaire à Node Day - Node.js Security in the Enterprise (20)

JSConfBR - Securing Node.js App, by the community and for the community

Cloud Security Engineer Interview Questions.pdf

How to secure web applications

Chapter 5Overview of SecurityTechnologiesWe can’t h

Config Management Camp 2017 - If it moves, give it a pipeline

Cloud, DevOps and the New Security Practitioner

Academy PRO: Node.js in production. lecture 4

Shifting security to the left with kubernetes, azure, and istio

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

Automotive Cybersecurity: Test Like a Hacker

Making Security Agile - Oleg Gryb

Common mistake in nodejs

Agility Requires Safety

3.Secure Design Principles And Process

Biggest info security mistakes security innovation inc.

Total Defense Product Information

Prevent Getting Hacked by Using a Network Vulnerability Scanner

Nick Drage & Fraser Scott - Epic battle devops vs security

AppSec California 2016 - Making Security Agile

Plus de Adam Baldwin

Attacking open source using abandoned resourcesAdam Baldwin

JavaScript Supply Chain SecurityAdam Baldwin

Building a Threat Model & How npm Fits Into ItAdam Baldwin

Hunting for malicious modules in npm - NodeSummitAdam Baldwin

Node Security Project - LXJS 2013Adam Baldwin

JSConf 2013 Builders vs BreakersAdam Baldwin

EV1LSHA - Misadventures in the land of LuaAdam Baldwin

Writing an (in)secure webapp in 3 easy stepsAdam Baldwin

Pony Pwning Djangocon 2010Adam Baldwin

Plus de Adam Baldwin (9)

Attacking open source using abandoned resources

JavaScript Supply Chain Security

Building a Threat Model & How npm Fits Into It

Hunting for malicious modules in npm - NodeSummit

Node Security Project - LXJS 2013

JSConf 2013 Builders vs Breakers

EV1LSHA - Misadventures in the land of Lua

Writing an (in)secure webapp in 3 easy steps

Pony Pwning Djangocon 2010

Dernier

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica

Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes

Top 10 Hubspot Development Companies in 2024TopCSSGallery

React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech

Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González

[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra

A Journey Into the Emotions of Software DevelopersNicole Novielli

All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough

So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar

Digital Tools & AI in Career DevelopmentMahmoud Rabie

Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll

Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica

Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos

Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA

Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers

Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma

Dernier (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure

Assure Ecommerce and Retail Operations Uptime with ThousandEyes

Top 10 Hubspot Development Companies in 2024

React Native vs Ionic - The Best Mobile App Framework

Generative Artificial Intelligence: How generative AI works.pdf

[Webinar] SpiraTest - Setting New Standards in Quality Assurance

A Journey Into the Emotions of Software Developers

All These Sophisticated Attacks, Can We Really Detect Them - PDF

So einfach geht modernes Roaming fuer Notes und Nomad.pdf

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes

Digital Tools & AI in Career Development

Emixa Mendix Meetup 11 April 2024 about Mendix Native development

Kuma Meshes Part I - The basics - A tutorial

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...

Genislab builds better products and faster go-to-market with Lean project man...

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Long journey of Ruby standard library at RubyConf AU 2024

Design pattern talk by Kaya Weers - 2024 (v2)

Microservices, Docker deploy and Microservices source code in C#