Developer's perspective on security

@naugtur, Node.js Meetup Berlin, 2019

A lengthy hello

## I'm not a hacker

My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2

Now to the point

### Make it harder for the hacker > In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability (...)

## Development Hardening - no hacking knowledge required - introduce new tools and practices - close big gaps with little effort

### you are still responsible for your code

# Ok, so what's the threat

Injections

Malicious packages

Data theft

XSS

CSRF

RCE

RegExp DoS

Wait, did he say
Mongodb injections?


                    Collection.find(req.query)

?id=1

?$where=sleep(20000)

Source: Node.js Interactive talk

Now to the point (again)

# Node.js ### dev hardening

Ok, I must say this. ## 1. Don't use `eval` ``` npm install --save-dev eslint-plugin-security ```

### some healthy paranoia ```js const request = require("request") const method = ??? const payload = "console.log('pwnd')" request[method](payload)(); // prints 'pwnd', but how? ``` Not even an error ``` 3:18 warning Function Call Object Injection Sink ```

### eval, eval everywhere ```js const request = require("request") const method = "constructor" const payload = "console.log('pwnd')" request[method](payload)(); ```

### 2. postinstall scripts - If you can: ``` npm install --ignore-scripts ``` - Anyway, don't run `npm install` in production. ```yml script: - npm install artifacts: paths: - node_modules/ expire_in: 24h ```

### 3. audit dependencies ## 🎉 `npm audit fix`

Story time

Integrations team at Egnyte

>25 apps

mass maintenance

### 4. audit in CI - run audit check in CI - manage your security decisions - no demo-day hangovers - npm-audit-resolver

npm audit resolver



                        $ resolve-audit 
                        lodash needs your attention.
                        
                        [ low ] Prototype Pollution
                        vulnerable versions <4.17.5 found in:
                        -  devDependencies: lodash
                        f) fix with npm install lodash 
                        d) show more details and ask me again
                        r) remind me in 24h
                        i) ignore paths
                        del) Remove all listed dependency paths
                        s) Skip this
                        q) Quit                   
                        What would you like to do?

### npm audit resolver I'm working with npm cli and security to make it a part of `npm audit` - You can use it now - Feedback welcome!

## All together now! ```yml script: - npx -p eslint -p eslint-plugin-security eslint src/ - npm install --production - npx -p npm-audit-resolver check-audit artifacts: paths: - node_modules/ expire_in: 24h ``` - [gitlabci-job-prototypes](https://www.npmjs.com/package/gitlabci-job-prototypes) - not even announced yet - [secure-dependencies](https://www.npmjs.com/package/secure-dependencies) package can help if you're not on docker etc.

# Browser

## Prevent XSS exploitation Content Security Policy - [my talk from 2014](https://naugtur.pl/pres2/csp/) - [approachable docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Just a header to add to your app

### How to deploy CSP in a large legacy app - `Content-Security-Policy-Report-Only` at first - deploy with desired policy - see what would fail - fix app or loosen the policy - switch to `Content-Security-Policy`

@naugtur

Look for slides here: naugtur.pl

I also do training...

# thx!