2018-044: Mike Samuels discusses NodeJS hardening initiatives

Mike Samuels

https://twitter.com/mvsamuel

https://github.com/mikesamuel/attack-review-testbed

https://nodejs-security-wg.slack.com/

Hardening NodeJS

 

Speaking engagement talks:

A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw

Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009

Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781

What is a package: (holy hell, why is this so complicated?)

   

A package is any of:

1. a) a folder containing a program described by a package.json file
2. b) a gzipped tarball containing (a)
3. c) a url that resolves to (b)
4. d) a @ that is published on the registry with ©
5. e) a @ that points to (d)
6. f) a that has a latest tag satisfying (e)
7. g) a git url that, when cloned, results in (a).

https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

 

https://blog.risingstack.com/node-js-security-checklist/

 

https://www.npmjs.com/package/trusted-types

https://github.com/WICG/trusted-types/issues/31