Liliana Kastilio
Technical Services Architect at @snyksec #typescript ♥ ❯ Organiser of @devs_london ❯ Polyglot ❯ dnb ♥ ❯ aerialist ❯ she/her #javascript #nodejs #python #django
[lili:/~]$ npm install disaster-waiting-to-happen
@lilianakastilio
Important information about your ________ account
12th June 2012
6.5 million accounts compromised
18th May 2016
117 million accounts compromised
£1500
BARGAIN!
LAST
MONTH...
25th March
150 million accounts compromised
4.6% drop in share prices
More info: bit.ly/forbes-myfitnesspal
-
5% stock price drop
-
7% loss of customers
-
31% discontinued relationships
THE IMPACT OF DATA BREACHES ON REPUTATION & SHARE VALUE
More info: http://bit.ly/breach-effects
TWO
WEEKS AGO...
#DRUPALGEDDON2
bit.ly/drupalgeddon2
Remote Code Execution
CVE-2018-7600
LAST
WEEK...
NEXT
WEEK?
Even the best engineers can introduce security issues
We potentially bring in new vulnerabilities with every PR.
Typical application can have 100s or even 1,000s of dependencies
Open Source
"given enough eyeballs all bugs are shallow"
Eric Raymond
If you have not put effort into securing your code, it is
not secure.
16.8% of maintainers say their security knowledge is good
43.7% have never conducted a security audit on their code.
What is the impact of using Open Source modules?
-
server side rendered
-
markdown support for FAQ
-
stack: server side rendered React with Next.js and Express
EXAMPLE: WEB APP UTILISING SPOTIFY API
{
"dependencies": {
"body-parser": "1.8.4",
"compression": "1.6.2",
"express": "4.8.4",
"express-session": "1.14.2",
"lodash": "4.17.4",
"moment": "2.17.1",
"next": "4.2.2",
"path-match": "^1.2.4",
"react-bootstrap": "^0.30.7",
"react-router": "^3.0.2",
"superagent": "^3.4.0",
"url": "^0.11.0",
"debug": "2.6.7",
"tough-cookie": "2.3.3",
"marked": "0.3.9"
},
"devDependencies": {
"eslint": "3.13.1",
"eslint-config-semistandard": "7.0.0",
"eslint-config-standard": "6.2.1",
"eslint-plugin-import": "2.2.0",
"eslint-plugin-promise": "3.4.0",
"eslint-plugin-standard": "2.0.1",
"nodemon": "1.11.0"
}
}
17vulnerabilities
-
Regular Expression Denial of Service (ReDoS) in fresh
-
Regular Expression Denial of Service (ReDoS) in marked
-
Regular Expression Denial of Service (DoS) in negotiator
-
Directory Traversal in next
-
Prototype Override Protection Bypass in qs
HIGH SEVERITY
- Directory Traversal in send
- Root Path Disclosure in send
- Open Redirect in serve-static
- Prototype Pollution in lodash
- Regular Expression Denial of Service (ReDoS) in mime, moment, ms, debug
- Root Path Disclosure in serve-static
- Prototype Pollution in hoek
- Uninitialized Memory Exposure in tunnel-agent
MEDIUM & LOW SEVERITY
-
npm +57%
-
Rubygems +10%
-
Python +32%
-
Maven +28%
INCREASE IN PUBLISHED PACKAGES 2017
Vulnerabilities increased by 43.7% in 2016
Further increase
of 39.1% in 2017
CORE APP
3RD PARTY CODE
We have to make it very difficult for attackers to find a way in
1. Make security part of your process
-
Does it do what you want?
-
Is it well maintained and documented?
-
Is is actively used?
-
__________________?
PICKING THE RIGHT TOOL FOR THE JOB:
Does it or it's dependencies bring in known vulnerabilities?
2. Know where to find vulnerabilities information
National Vulnerability Database (NVD)
https://nvd.nist.gov
Victims CVE DB
Python + Java
https://github.com/victims/victims-cve-db
JS Vuln DB
JavaScript
https://github.com/tunz/js-vuln-db
Node.js Security Working Group
https://github.com/nodejs/security-wg
Snyk
Vulnerability DB
https://snyk.io/vuln
3. Keep your dependencies updated
(have a policy to update all dependencies every X days)
4. OWASP top 10 security risks
(Open Web Application Security Project)
More info: bit.ly/owasp-2017
5. Prepare an incident response plan
So
Now
You
Know
-
Monitors your repo
-
Upgrade or patch modules
-
Commit status checks
-
Notifications via Slack or Email
-
CLI + Web
Core functionality:
SNYK DEMO
Thanks!
Ping me questions to:
@lilianakastilio or lili@snyk.io
npm install disaster-waiting-to-happen
By Liliana Kastilio
