Developer's perspective on security

@naugtur, meet.js Poznan, 2018

## I'm not a hacker

My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2

Now to the point

### Make it harder for the hacker > In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability (...)

## Development Hardening - no hacking knowledge required - introduce new tools and practices - close big gaps with little effort

### you are still responsible for your code

# Node.js

Ok, I must say this. ## 1. Don't use `eval` ``` npm install --save-dev eslint-plugin-security ```

### some healthy paranoia ```js const request = require("request") const method = "constructor" const payload = "console.log('pwnd')" request[method](payload)(); ``` No longer an error ``` 3:18 warning Function Call Object Injection Sink ```

### 2. postinstall scripts - If you can: ``` npm install --ignore-scripts ``` - Anyway, don't run `npm install` in production. ```yml script: - npm install artifacts: paths: - node_modules/ expire_in: 24h ```

### 3. audit dependencies ## 🎉 `npm audit fix`

## Story time

Integrations team at Egnyte

25 apps

mass maintenance

### 4. audit in CI - run audit check in CI - manage your security decisions - no demo-day hangovers - npm-audit-resolver

npm audit resolver



                        $ resolve-audit 
                        lodash needs your attention.
                        
                        [ low ] Prototype Pollution
                        vulnerable versions <4.17.5 found in:
                        -  devDependencies: lodash
                        f) fix with npm install lodash 
                        d) show more details and ask me again
                        r) remind me in 24h
                        i) ignore paths
                        del) Remove all listed dependency paths
                        s) Skip this
                        q) Quit                   
                        What would you like to do?

### npm audit resolver I'm working with npm cli and security to make it a part of `npm audit` - You can use it now - Feedback welcome!

## All together now! ```yml script: - npx -p eslint -p eslint-plugin-security eslint src/ - npm install --production - npx -p npm-audit-resolver check-audit artifacts: paths: - node_modules/ expire_in: 24h ``` also check out [`secure-dependencies`](https://www.npmjs.com/package/secure-dependencies) package

# Browser

## Prevent XSS exploitation Content Security Policy - [my talk from 2014](https://naugtur.pl/pres2/csp/) - [approachable docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Just a header to add to your app

### How to deploy CSP in a large legacy app - `Content-Security-Policy-Report-Only` at first - deploy with desired policy - see what would fail - fix app or loosen the policy - switch to `Content-Security-Policy`

@naugtur

For workshops on this and more

naugtur.pl/training/