Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
@liran_tal
github.com/lirantal
@liran_tal
github.com/lirantal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
src: https://snyk.io/opensourcesecurity-2019
@liran_tal
@liran_tal
Small World with High Risks:
A Study of Security Threats in the npm Ecosystem
src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman
2019
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
Jan 2017
@liran_tal
$ npm install crossenv --save
@liran_tal
crossenv/package.json
@liran_tal
crossenv/package-setup.js
@liran_tal
@liran_tal
src: https://snyk.io/vuln
@liran_tal
@liran_tal
@liran_tal
Jan 2017
May 2018
@liran_tal
@liran_tal
http-fetch-cookies
└── express-cookies
└── getcookies
@liran_tal
mailparser
└── http-fetch-cookies
└── express-cookies
└──getcookies
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
Jan 2017
May 2018
Jul 2018
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
src: https://github.com/ChALkeR/notes
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
Jan 2017
May 2018
Jul 2018
Nov 2018
@liran_tal
src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
(CC BY-NC-SA 2.0)
@liran_tal
Rolling out security fixes
The security blindspot of
lockfile attack vectors
@liran_tal
src: https://npmjs.com/package/lockfile-lint
@liran_tal
@liran_tal
@liran_tal
@liran_tal
$ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
@liran_tal
github.com/lirantal
By Liran Tal
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects, covering OWASP Top 10 issues such as injection attacks and secure dependencies management. Finally, we will review the work and initiatives that the Node.js Security Working Group have been taking to ensure a more secure future for Node.js.
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript