[lili:/~]$ npm install disaster-waiting-to-happen

@lilianakastilio

Important information about your ________ account

12th June 2012

6.5 million accounts compromised

18th May 2016

117 million accounts compromised

£1500

BARGAIN!

 

 

LAST

MONTH...

 

25th March

150 million accounts compromised

4.6% drop in share prices

More info: bit.ly/forbes-myfitnesspal

  • 5% stock price drop

  • 7% loss of customers

  • 31% discontinued relationships

THE IMPACT OF DATA BREACHES ON REPUTATION & SHARE VALUE

More info: ​http://bit.ly/breach-effects

TWO

WEEKS AGO...

 

#DRUPALGEDDON2

bit.ly/drupalgeddon2

Remote Code Execution

CVE-2018-7600

LAST

WEEK...

NEXT

WEEK?

Even the best engineers can introduce security issues

      We potentially bring in new vulnerabilities with every PR.

Typical application can have 100s or even 1,000s of dependencies

Open Source

"given enough eyeballs all bugs are shallow"

Eric Raymond

If you have not put effort into securing your code, it is

not secure.

16.8% of maintainers say their security knowledge is good

43.7% have never conducted a security audit on their code.

What is the impact of using Open Source modules?

  • server side rendered

  • markdown support for FAQ

  • stack: server side rendered React with Next.js and Express

EXAMPLE: WEB APP UTILISING SPOTIFY API

{
  "dependencies": {
    "body-parser": "1.8.4",
    "compression": "1.6.2",
    "express": "4.8.4",
    "express-session": "1.14.2",
    "lodash": "4.17.4",
    "moment": "2.17.1",
    "next": "4.2.2",
    "path-match": "^1.2.4",
    "react-bootstrap": "^0.30.7",
    "react-router": "^3.0.2",
    "superagent": "^3.4.0",
    "url": "^0.11.0",
    "debug": "2.6.7",
    "tough-cookie": "2.3.3",
    "marked": "0.3.9"
  },
  "devDependencies": {
    "eslint": "3.13.1",
    "eslint-config-semistandard": "7.0.0",
    "eslint-config-standard": "6.2.1",
    "eslint-plugin-import": "2.2.0",
    "eslint-plugin-promise": "3.4.0",
    "eslint-plugin-standard": "2.0.1",
    "nodemon": "1.11.0"
  }
}

17vulnerabilities

  • Regular Expression Denial of Service (ReDoS) in fresh

  • Regular Expression Denial of Service (ReDoS) in marked

  • Regular Expression Denial of Service (DoS) in negotiator

  • Directory Traversal in next

  • Prototype Override Protection Bypass in qs

HIGH SEVERITY

  • Directory Traversal in send
  • Root Path Disclosure in send
  • Open Redirect in serve-static
  • Prototype Pollution in lodash
  • Regular Expression Denial of Service (ReDoS) in mime, moment, ms, debug
  • Root Path Disclosure in serve-static
  • Prototype Pollution in hoek
  • Uninitialized Memory Exposure in tunnel-agent

MEDIUM & LOW SEVERITY

  • npm +57%

  • Rubygems +10%

  • Python +32%

  • Maven +28%

INCREASE IN PUBLISHED PACKAGES 2017

Vulnerabilities increased by 43.7% in 2016

Further increase

of 39.1% in 2017

CORE APP

3RD PARTY CODE

We have to make it very difficult for attackers to find a way in

1. Make security part of your process

  1. Does it do what you want?

  2. Is it well maintained and documented?

  3. Is is actively used?

  4. __________________?

 

PICKING THE RIGHT TOOL FOR THE JOB:

Does it or it's dependencies bring in known vulnerabilities?

2. Know where to find vulnerabilities information

National Vulnerability Database (NVD)

https://nvd.nist.gov

Victims CVE DB

Python + Java

https://github.com/victims/victims-cve-db

JS Vuln DB

JavaScript

https://github.com/tunz/js-vuln-db

Node.js Security Working Group

https://github.com/nodejs/security-wg

Snyk

Vulnerability DB

https://snyk.io/vuln

3. Keep your dependencies updated

(have a policy to update all dependencies every X days)

4. OWASP top 10 security risks

(Open Web Application Security Project)

More info: bit.ly/owasp-2017

5. Prepare an incident response plan

So

Now

You

Know

  1. Monitors your repo

  2. Upgrade or patch modules

  3. Commit status checks

  4. Notifications via Slack or Email

  5. CLI + Web

Core functionality:

SNYK DEMO

Thanks!

Ping me questions to:

@lilianakastilio or lili@snyk.io

Made with Slides.com