Guy Podjarmy - Secure Node Code
•
0 likes•173 views
This document discusses securing open source software and dependencies. It notes that open source usage and the number of npm packages have exploded, but open source software is not inherently secure or insecure. It warns that vulnerabilities in widely used open source projects like Heartbleed, Shellshock, and Logjam have impacted many users. Approximately 30% of Docker images contain known vulnerabilities. Similarly, around 14% of npm packages have known vulnerabilities that have been found in users' applications. It encourages finding, fixing, and preventing vulnerabilities in open source dependencies to help secure applications.
Report
Share
Guy Podjarmy - Secure Node Code
- 1. Join the conversation #devseccon Guy Podjarny, Snyk @guypod Secure Node Code a.k.a. Stranger Danger
- 2. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan) • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
- 3. snyk.io Open Source Is Awesome Share Your Work Reuse What Others Built Focus on Creating Your Own New Thing
- 4. snyk.io Open Source Usage Has Exploded
- 5. snyk.io Open Source != Secure Open Source != Insecure Either!
- 9. snyk.io Attackers Are Targeting Open Source One vulnerability, many victims
- 10. snyk.io ~30% of Docker Hub images carry Known Vulnerabilities High Priority known vulnerabilites, to be exact Source: BanyanOps Analysis
- 11. snyk.io Docker Security Ubuntu usn Auto Sec Updates Fedora yum security Auto Sec Updates
- 12. snyk.io That’s OSS Binaries. What about OSS Packages?
- 13. snyk.io Just as Hacker-Friendly… 1. Vulnerabilities already found, and found often 2. Used everywhere - Millions downloads/month, in many orgs 3. Hard to update, due to deps chains, breakage & scattered use
- 14. snyk.io Let’s pick on Node
- 16. snyk.io >350,000 packages ~6B downloads/month >65,000 publishers npm usage Has Exploded
- 17. snyk.io Your App
- 20. snyk.io Each Dependency Is A Security Risk
- 21. snyk.io Do You Know Which Dependencies You Have?
- 22. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
- 23. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it underwent any Security Testing?
- 24. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?
- 25. snyk.io Open Source is written by People
- 26. snyk.io Open Source is written by People Strangers
- 27. snyk.io
- 28. snyk.io
- 29. snyk.io Do you know, for EVERY SINGLE CONTRIBUTOR if they are Malicious?
- 30. snyk.io Do you know, for EVERY SINGLE CONTRIBUTOR if they’ve been Compromised?
- 31. snyk.io It’s a BIG Problem With no single, silver bullet solution
- 32. snyk.io First Step: Known Vulnerabilites
- 33. snyk.io ~14% of npm Packages Carry Known Vulnerabilities ~83% of Snyk users found vulns in their apps Source: Snyk data, Oct 2016
- 34. snyk.io Software Supply Chain Mandatory Josh Corman plug…
- 35. snyk.io 1. How do I protect myself?
- 36. snyk.io 1. How do I protect myself? 2. Can I learn from these vulns?
- 38. snyk.io JavaScript Takeaways • Consider all encodings • Notably HTML & URL Encoding • Better yet: Whitelist instead of Blacklist • Prevent long algorithm runs • Control Regexp input lengths • Don’t initialize Buffer with integers • Beware JSON type manipulations
- 39. snyk.io OSS Package Vulns are the new Unpatched servers
- 41. snyk.io OSS packages takeaway • Find vulnerabilities • Be sure to test ALL your applications • Fix vulnerabilities • Upgrade when possible, patch when needed • Prevent adding vulnerable module • Break the build, test in pull requests • Respond quickly to new vulns • Track vuln DBs, or use Snyk! </shameless plug>
- 42. snyk.io Not just Node/npm Impacts Open Source Packages, wherever they are
- 43. snyk.io Open Source Is Awesome
- 44. snyk.io Open Source Is Awesome Please Enjoy Responsibly
- 45. Join the conversation #devseccon Thank You! Guy Podjarny, Snyk @guypod