Web Directions Code, 2019-06-20
Read these slides on your own device:
Who is this guy?
Chief Data Officer & co-founder, npm Inc.
What are we talking about?
- Major incident case studies
- Using npm more securely
This talk is kind of a downer
I curse like a drunken sailor
I'm not actually sorry.
developers use npm
1 million packages
12 billion weekly downloads
26,000% growth since 2014
of the code in a modern web app is downloaded from npm
- A modern web app will use > 2,000 packages
- A big company will use > 25,000 packages
But it's not free.
npm is a security company
npm survey: are you concerned about security?
What is a security failure?
A thing that steals data?
A thing that takes your site down?
Anything that can allow a malicious act to hurt users is a security failure
Even if nobody gets hurt.
I cannot teach you how to write secure code
At least, not for this kind of money.
Secure code is the same across all languages:
- Defense in depth
- Input validation
- Angry bears 🐻
- Denial of service
- Malicious packages
- Accidental vulnerabilities
- Social engineering
- Compliance failures
Drop bears: the silent killer
Denial of Service
Registry uptime 2016-present:
Malicious packages are less than 0.1% of publishes
and less than 0.005% of packages (because we delete them)
33% of npm installs include vulnerable packages
the financial industry
Big 8 banks
a security analysis
- 23 million downloads
- 22,563 unique packages
- 824 vulnerabilities (3% of packages)
- 55 critical vulnerabilities (7% of vulnerabilities)
I don't want to be alarmist but this is alarming
You ship code
from thousands of strangers to production every day
it's funny but nobody likes it
The banks are at it again
100% compliance failure
at 8 of the world's biggest banks
Why is this so hard?
You can't just hope
You can't use
for 25,000 packages
Blacklists and whitelists
will not work for you
- Bears: 🙄
- Uptime: 😐
- Malicious code: 😕
- Accidental vulnerabilities: 😳
- Social engineering: 😱
- Compliance failures: 🤯
Security case studies:
Case 1: left-pad
It padded. Left.
Somebody already had a package called kik
Package name transfers are usually very friendly!
A policy failure
Azer took his toys
and went home
He turned out to have a LOT of toys.
Ok, the purpose of this license is simple and you just DO WHAT THE FUCK YOU WANT TO.
This is the full text of the WTFPL.
supported by Node.js and every browser except Internet Explorer
Reliability is security
New unpublish policy
left-pad was an uptime problem
Case 2: eslint
It didn't work
2FA is not enough
Lesson 1: Supply chain attacks are real
We hadn't seen one before!
2FA needs enforcement
eslint was a design failure
Case 3: event-stream
The event-stream attack
- Gain credibility by helping
- Gain legitimate control of package
- Add malicious payload
11 million developers are a great detection system
Lesson 2: Maintainer burnout is an attack vector
was a social failure
Case 4: electron-native-notify
Another helpful black hat
- Create useful package
- Submit PR adding useful package
- Package is integrated into victim
- Add malicious payload in minor update
Lesson: contributors can be malicious
"I'm definitely not a threat."
What is npm doing
about all of this?
Team A | Team B
The unpublish policy
The registry is immutable...ish
335,775,921 audits last 30 days
often tells you to run npm
npm audit fix
Semantic Versioning (SemVer)
npm audit fix
npm best practices:
audit in tests
npm config set audit-level severe
- 7% of maintainers have 2FA enabled
- > 50% of downloads are 2FA protected
- 2FA enforcement is available
- 2FA enrollment grew 360% in 6 month
Automatic token revocation
From the npm Registry and GitHub
Author package signing?
The Report Vulnerability button
The npm Security Team
Automated threat detection
Single Sign-On (SSO)
- Share and discover internal JS
- Full search
- Package pages and online docs
- SSO (Google, Okta, Auth0, etc.)
- Security and compliance reporting
✨ mAcHiNe LeArNiNg ✨
Fuck static analysis
What about the blockchain?
Do not get me started about the blockchain.
Improving social signals
is a problem you can fix
Security is hard
Your paranoia is justified
They really are out to get you.
I ❤️ you