Developer's perspective on security
@naugtur, meet.js Poznan, 2018
breaks Windows pre XP SP2
### Make it harder for the hacker
> In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability (...)
## Development Hardening
- no hacking knowledge required
- introduce new tools and practices
- close big gaps with little effort
### you are still responsible for your code
Ok, I must say this.
## 1. Don't use `eval`
npm install --save-dev eslint-plugin-security
### some healthy paranoia
const request = require("request")
const method = "constructor"
const payload = "console.log('pwnd')"
No longer an error
3:18 warning Function Call Object Injection Sink
### 2. postinstall scripts
- If you can:
npm install --ignore-scripts
- Anyway, don't run `npm install` in production.
- npm install
### 3. audit dependencies
## 🎉 `npm audit fix`
Integrations team at Egnyte
### 4. audit in CI
- run audit check in CI
- manage your security decisions
- no demo-day hangovers
npm audit resolver
### npm audit resolver
I'm working with npm cli and security to make it a part of `npm audit`
- You can use it now
- Feedback welcome!
## All together now!
- npx -p eslint -p eslint-plugin-security eslint src/
- npm install --production
- npx -p npm-audit-resolver check-audit
also check out [`secure-dependencies`](https://www.npmjs.com/package/secure-dependencies) package
## Prevent XSS exploitation
Content Security Policy
- [my talk from 2014](https://naugtur.pl/pres2/csp/)
- [approachable docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
Just a header to add to your app
### How to deploy CSP in a large legacy app
- `Content-Security-Policy-Report-Only` at first
- deploy with desired policy
- see what would fail
- fix app or loosen the policy
- switch to `Content-Security-Policy`
lodash needs your attention.
[ low ] Prototype Pollution
vulnerable versions <4.17.5 found in:
- devDependencies: lodash
f) fix with npm install lodash
d) show more details and ask me again
4.17.5>r) remind me in 24h
i) ignore paths
del) Remove all listed dependency paths
s) Skip this
What would you like to do?