NPM Security for Enterprise

TLDR;

Baseline assumptions

Necessary Risk

"Every tool is a weapon if you hold it right"

- Ani Difranco

recent

Security incidents

The formula is simple

How it works

  1. Find an unremarkable utility library - used by many, noticed by few
  2. Become a contributor / earn trust
  3. [optionally] Exploit maintainer fatigue / take over the repository
  4. Inject malware into a patch
  5. Wait for the infection to spread

Let's look at some trees

Vue

React

Babel

Eslint

Webpack

Jest

Storybook

vue cli

all hope is not lost

Use smaller libraries

with fewer dependencies

BE CRITICAL

LET THE RIGHT ONE IN

Key factors

  • How old is the package?
  • How mature is the latest update?
  • Is there a readme?
  • Are there any known vulnerabilities in the library?
  • Does it have a SPDX compliant license?
  • Is it free for commercial use? 
  • Is there a link to source code?
    "licenses": {
        "unknown": 4,
        "MIT": 945,
        "Apache-2.0": 26,
        "BSD-3-Clause": 26,
        "ISC": 89,
        "BSD-3-Clause OR MIT": 1,
        "undefined": 8,
        "(MIT OR Apache-2.0)": 1,
        "BSD-2-Clause": 13,
        "CC-BY-4.0": 1,
        "BSD": 1,
        "(AFL-2.1 OR BSD-3-Clause)": 1,
        "WTFPL": 3,
        "MIT/X11": 1,
        "(WTFPL OR MIT)": 1,
        "(BSD-2-Clause OR MIT OR Apache-2.0)": 1,
        "WTFPL OR ISC": 1,
        "CC-BY-3.0": 1,
        "CC0-1.0": 1,
        "Unlicense": 1,
        "(MIT OR CC0-1.0)": 1
    }

REduce, reuse, recycle

Update often

but not too often

Stand on the shoulders of giants

Rememer: People (you + me) are our greatest security weaknesses

Do your best and try to have fun

NPM Security for Enterprise tldr;

By eightarmcode

Made with Slides.com

NPM Security for Enterprise tldr;

Translating my experience securing NPM for enterprise into some usable tips for the individual developer

  • 265