Zbyszek Tenerowicz

Honest JavaScript and Node.js training
WWW: naugtur.pl
Contact: naugtur@gmail.com
Zbyszek Tenerowicz

Training offer

Defensive Coding

It's rare to see applications that don't contain any external code coming from strangers. Someone else's code might affect yours via protoype poisoning even if you never interact with it. It's a threat as long as it's running in the same process. No matter if you're concerned with malicious dependencies or building software to run other people's code, techniques presented in this workshop can be used to isolate code at runtime and protect against prototype poisoning.

We'll explore the techniques allowing cooperation with neighbors that mess with built-in functionality of JavaScript not only for benign reasons, but also in dangerous ways. The second part of the workshop will focus on using tools to isolate code and scale the defensive coding practice up for larger codebases.

The entire workshop will be delivered as bite-sized hands-on exercises where increasingly advanced threats are presented and the participant has to defend their code.

Topics covered:

Outline:

  1. Introduction to modern software composition risks: the problem of fearless collaboration and supply chain security
  2. Prototype poisoning: what it is and how it works
  3. Increasingly difficult exercises exploring the methods of Defensive Coding
  1. Introduction to Hardened JavaScript and LavaMoat - tools created to scale the runtime defense approach.

Duration: 8 hours total with breaks and Q&A

Can be expanded with full hands-on LavaMoat configuration and troubleshooting training.

This training was originally created for and delivered at DEFCON AppSec Village and later NodeConfEU, ConfidenceCon, x33fcon. It was refined in the process, so what you're getting is an improved version of what people enjoyed in Vegas.

Who should attend?

Requirements

Workshop content is in English, conversations and live workshop can use English or Polish, as needed.

Experience

I have been working with JavaScript since 2008, and with Node.js since 2011. I have been teaching JavaScript diagnostics, maintainability and security topics while maintaining a full-time job where I get to stay hands-on.

I've performed my workshops for international audiences at NodeConfEU in Ireland and DEFCON in the USA among others.

What's unique about these trainings?

I focus on advanced topics and go deep.

Each of my trainings is adjusted for the group I'm teaching. Before the training, I like to meet them for 15-20 minutes to get the feel of what they need and avoid making them sit through the first 2 hours of listening to what they already know.

I enjoy sharing knowledge. I don't have a marketing team to feed, I don't have quality graphics. I improvise often. You get just the juiciest bits, not a sunk-cost-fallacy driven pre-packaged slide deck I have to sell tens of times for good ROI.