JavaScript Developers and Security
WaffleJS, 2018-05-29
Who is this guy?
Laurie Voss, COO, npm Inc.
@seldo
Why talk about security?
Compared to last year:
- We know a lot more
- We do a lot more
Security in JavaScript
is important because
JavaScript is important
of the code in a modern web app is downloaded from npm
95%
77% of developers
are concerned about the security of OSS
58% were not satisfied
with the tools available to evaluate security
7% DGAF
Developers who think tools for evaluating security aren't good enough but aren't concerned.
Devs are concerned
about the security of the code they write themselves
People trust open source code more than their own code
87% to 77%
Attitudes to
security change as developers gain experience
Experience => security
Do experienced devs leave JavaScript?
of developers say they plan to use JavaScript the same or more this year
95%
What else do more experienced people do more often?
Experience creates best practices
Security is a thing experienced devs do
What does
"doing security"
look like?
Using npm to improve your security
npm install npm -g
The current version of npm is 6.1.0
Security alerts
and npm audit
You're already using them
> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)
You tell us what you're going to install
So we can tell you if it's a good idea
We bought a security company
Node
Security
Platform
npm
How does npm
make money?
- Private package hosting
- Security scanning and reporting
npm Enterprise
will keep your JavaScript secure
Tom says: "Call me!"
This is scary.
How do I fix it?
> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)
npm audit
npm audit output
npm audit is not just a scan
Because scans are kind of annoying.
npm audit includes instructions to fix the vulnerability
But why do stuff when you can get robots to do stuff?
npm audit fix
will fix your software for you
> npm audit fix
+ nodemon@1.17.5
+ express@4.16.3
added 184 packages from 88 contributors, removed 13 packages and updated 31 packages in 20.612s
fixed 23 of 274 vulnerabilities in 4637 scanned packages
npm audit fix
obeys SemVer
(by default)
npm audit fix --force
will bring in breaking changes to fix it
> npm audit fix --force
+ joi@13.3.0
+ next@6.0.3
added 205 packages from 122 contributors, removed 127 packages,
updated 130 packages and moved 3 packages in 48.436s
fixed 267 of 267 vulnerabilities in 5707 scanned packages
2 package updates for 251 vulns involved breaking changes
(installed due to `--force` option)
Keeping fixing until entirely fixed
> npm audit fix
updated 2 packages in 4.726s
fixed 18 of 18 vulnerabilities in 6289 scanned packages
WOW
Right?
All npm packages are signed now
Two-factor authentication
is available for every account
Publish alerts
by email
whether you like them or not
Stop running
rm -rf node_modules; npm install
instead run
npm ci
npm ci is 2-3x faster than npm install
This has nothing to do with security, it's just neat.
Summing up:
- Security is a big deal
- npm audit does security now
- npm audit fix will fix your software
- holy cow
- did you say it will fix my software?
- I did, Bob
- holy cow
Thank you!
Get these slides here:
Ask me questions or say hi on Twitter:
Useful links that I didn't talk about but you get because you downloaded the slides:
More about npm audit:
https://docs.npmjs.com/getting-started/running-a-security-audit
npm ci
https://docs.npmjs.com/cli/ci
two factor auth:
https://docs.npmjs.com/getting-started/using-two-factor-authentication
npm hooks (bonus feature!)
https://docs.npmjs.com/cli/hook
npm signs all tarballs now
https://blog.npmjs.org/post/172999548390/new-pgp-machinery
we acquired a security company
https://blog.npmjs.org/post/172793182214/npm-acquires-lift-security-and-node-security
JavaScript Security at WaffleJS
By seldo
