Node Day - Node.js Security in the Enterprise
•
4 likes•8,052 views
This document discusses Node.js security in the enterprise. It covers communicating security priorities between technical and business teams, gathering intelligence on vulnerabilities, and implementing technical controls like linting, testing, shrinkwrapping dependencies, and retire.js to detect vulnerable modules. It emphasizes that enterprises are responsible for vetting all dependencies and that the greatest vulnerability is often developers, so peer review is important.
Report
Share
Node Day - Node.js Security in the Enterprise
- 1. Node.js Security in the Enterprise
- 2. Hi, I’m Adam
- 7. Node.js Security in the Enterprise
- 8. Enterprise Security in 3 min Protect what makes you money Availability is security Measure & Iterate It's not about the vulnerability You will screw it up anyway
- 9. What this talk is about Being informed & Prepared ! The node security landscape ! It's all node's fault
- 10. Communication
- 11. Understand what the enterprise cares about, then do better.
- 12. The enterprise should understand you and do better.
- 13. Gathering Intel
- 16. Advisories
- 19. The Enterprise is responsible for what you require()
- 22. Test Cases You do this right?
- 24. npm shrinkwrap example curl -X POST https://nodesecurity.io/ validate/shrinkwrap -d @npmshrinkwrap.json -H "content-type: application/json"
- 25. retire.js Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules. http://bekk.github.io/retire.js/
- 26. What is the greatest vulnerability that you have in the enterprise?
- 27. Is it one of the .... OWASP Top 10?
- 28. Every Developer on your team.
- 29. Peer Review
- 30. Peer Review
- 31. Peer Review
- 32. Peer Review
- 33. Blame Node. It's just how we do things.™