The Buzz at Node.JS Interactive

The New Stack · Intermediate ·⚡ Algorithms & Data Structures ·9y ago

Key Takeaways

Discusses Node.js security concerns and solutions at Node.JS Interactive conference

Full Transcript

[Music] [Music] so one using no GF I can't take the same general yeah some of the same general safety precautions are usually taken a when I'm working with what a web application web server so you do you know authentication keys make sure you do validation and and sprout a daily scrubbing and make sure that you're that you're at least using some kind of like encryption and decryption for any kind of data that's important that to go back and forth password hashing so these are all kind of like the general things you can i use for like when you're doing dealing especially with a authentication either if its user authentication or education between requests we use the standard express module for security and ND standard node modules and we seem to have we're fairly confident in than we know the node and express keep updating them as as longer will these are found and we were of the mindset that if there's a known vulnerability in a package so a couple of months ago there was a heartbeat attack and it turned out that we needed to upgrade Mongoose so we did that and rectify the situation but in general I think security is pretty much mindset and a company so kind of like what DevOps 50 common in the networking community I think security and I in a general company has to be in mind that we have processes in place and programs programming patterns that you follow in order to make your appt secure we use sneak to monitor the you know dependencies I think that it's becoming people are becoming more aware that not your application code but your dependencies are we're like slalom abilities can lie and even if you're aware of you know all the different types of vulnerabilities in your own code you probably not watching it closely for definir dependencies so having some sort of dependency management using something maybe like greenkeeper to keep your dependencies up to date so you don't fall victim to you know new vulnerabilities to come out they can they come out all the time I think that's pretty fair way to stay secure or at least reasonably secure and that's so we've we've been doing that at CFPB and it's worked out well so far I was one of the early adopters of no jails for years ago and back in the day the modules weren't as mature the frameworks wasn't as mature we have great tooling we have great support from big companies they hiring core contributors and relating people work on open thurs that's amazing that something we didn't have 20 years ago and people were working on Java gel with the mainstream right so I see it will only get better but suddenly the Rays works work to me and needs to be done [Music] our enterprise applications are primarily Python chillin and we're moving more towards web applications for enterprise and to get mobile apps out to our constituents so they can see things like consumption meter alerts outage information and to be able to create it back in like with node.js for instance have a women or whoever interface that takes it in and send that to a mobile application it's kind of what we're trying to go to right and obviously security is a big thing so when you got this board interfacing application security is a big thing so we did talk to some of the vendors here about that and monitoring performance but also security aspects of it there's those sneaky ways that people again I get past security that's already out there now it was really like this I want to call them deep and I guess we call them beat packers you like we just know these very particular security holes for example I never really thought much about regex denial of service until it came up and then when that came out it was like a light bulb went on my head and just like wow I never thought people that I can get through my system that way so it these are these things that's not very commonly talked to policy go to big conferences like these or just very more like a specialized kind of discussions and meetings [Music] one of the main concerns that we find with our clients is actually vetting modules because the ecosystem is vast it's been growing exponentially for several years over 200,000 modules of NPM and the question is which ones do you trust so one of the things that we do is we we help clients select the right modules for them and the modules that are by trusted sources so there's a lot of trust based mechanisms I think that it's sort of implicit and in a way that we work other than that the way that we really deal with security is actually at a talent level for us as a consultancy firm we try to hire the best from the brightest who all of these people are very proficient and aware of of security needs on top of that we do internal reviews as well to catch anything it might have fallen through the gaps beyond that though we always recommend that a client gets software this written by other and collaboration with us over anyone pen tested by a separate party there's the only real ways that you can have the sort of assurance and insurance I suppose for any any vulnerabilities just the platform judge the language by itself is not going to prevent developers from some lazy habits from not validating your data from not applying best practices right so the best framework in the world the best platform of the world's not going to prevent that so it's part that developers need to learn those practices I went to a couple good talks and security today and that's what we need to teach and we need to write more blog posts by them your website about that to someone my courses to educate people and also the not foundation they've been great job in transparent about security leaks right so they need to continue doing that every time there is sound vulnerability they have a patch relatively quick and a few hours right so that's important to keep that kind of emergency mode and quick attach things are friends not to keep it secret and let people know some companies they still run on old versions of note so like you're going 10 well it's not going to have all the security patches if something happens right so they need to keep updating because if you have that technical death of a couple years and then you jump from zero point 10 to version 60 version 8 which we'll have next year so that's a huge jump right a lot of code will break you cannot do that in two days [Music] give them a pleasure

Original Description

The new year brings to light continued discussions surrounding maintaining and ensuring the security of one’s Node.js-backed systems and applications. The recent Node.JS Interactive conference in Austin, Texas showcased not only how developers and organizations are putting Node.js to use in their own ecosystems, but highlighted some of the top security concerns and solutions teams have moving forward on Node.js. On today's episode of The New Stack Makers, our video reporter, Norris Deajon, wandered the show floor to speak with attendees, who came in from companies such as InMotion, Highground, and Capital One. Listen on SoundCloud: https://soundcloud.com/thenewstackmakers/the-buzz-at-nodejs-in-austin
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The New Stack · The New Stack · 30 of 60

1 What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
The New Stack
2 How Unikernels Can Better Defend against DDoS Attacks
How Unikernels Can Better Defend against DDoS Attacks
The New Stack
3 Weaveworks is Bringing Horizontal Scaling to Prometheus
Weaveworks is Bringing Horizontal Scaling to Prometheus
The New Stack
4 TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
The New Stack
5 How Rancher Labs is Seeing Kubernetes Put to Work in Production
How Rancher Labs is Seeing Kubernetes Put to Work in Production
The New Stack
6 SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
The New Stack
7 Event Marketing for Today's Developer Evangelists and Community Managers
Event Marketing for Today's Developer Evangelists and Community Managers
The New Stack
8 NodeSource Introduces Certified Modules to Improve Node.js Security
NodeSource Introduces Certified Modules to Improve Node.js Security
The New Stack
9 How Lightstep is Illuminating the Case for Distributed Tracing
How Lightstep is Illuminating the Case for Distributed Tracing
The New Stack
10 How OpenStack Aims to be More Inclusive without being Exclusive
How OpenStack Aims to be More Inclusive without being Exclusive
The New Stack
11 How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
The New Stack
12 Creating Analytics-Driven Solutions for Operational Visibility
Creating Analytics-Driven Solutions for Operational Visibility
The New Stack
13 Understanding the Application Pattern for Effective Monitoring
Understanding the Application Pattern for Effective Monitoring
The New Stack
14 Building On Docker's Native Monitoring Functionality
Building On Docker's Native Monitoring Functionality
The New Stack
15 The Importance of Having Visibility Into Containers
The Importance of Having Visibility Into Containers
The New Stack
16 How Getting Your Project in the CNCF Just Got Easier
How Getting Your Project in the CNCF Just Got Easier
The New Stack
17 Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
The New Stack
18 The Buzz at Tectonic Summit 2016 in New York City
The Buzz at Tectonic Summit 2016 in New York City
The New Stack
19 Bringing Clarity to the Future of Node.js Modules
Bringing Clarity to the Future of Node.js Modules
The New Stack
20 How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
The New Stack
21 Reshaping Front End Development with Warehouse.ai
Reshaping Front End Development with Warehouse.ai
The New Stack
22 2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
The New Stack
23 Here's Why You Should Build a Robot Using Node.JS: Because You Can
Here's Why You Should Build a Robot Using Node.JS: Because You Can
The New Stack
24 How the Node.js Foundation is Utilizing Participatory Governance Models
How the Node.js Foundation is Utilizing Participatory Governance Models
The New Stack
25 Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
The New Stack
26 Determining Who Bears the Burden of Ensuring NPM Module Security
Determining Who Bears the Burden of Ensuring NPM Module Security
The New Stack
27 How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
The New Stack
28 How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
The New Stack
29 Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
The New Stack
The Buzz at Node.JS Interactive
The Buzz at Node.JS Interactive
The New Stack
31 Why Going Serverless Doesn't Mean 'No Ops'
Why Going Serverless Doesn't Mean 'No Ops'
The New Stack
32 How Node.js is Transforming Today's Enterprises
How Node.js is Transforming Today's Enterprises
The New Stack
33 JJ Asghar Interview
JJ Asghar Interview
The New Stack
34 How Capital One is Using APIs to Streamline Auto Financing
How Capital One is Using APIs to Streamline Auto Financing
The New Stack
35 SXSW 2017: How Machine Learning Differs From Regular Programming
SXSW 2017: How Machine Learning Differs From Regular Programming
The New Stack
36 SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
The New Stack
37 SXSW 2017: How Good Engineers Make Bad Business Decisions
SXSW 2017: How Good Engineers Make Bad Business Decisions
The New Stack
38 CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
The New Stack
39 CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
The New Stack
40 Exploring the Latest Container Runtime Projects in the CNCF
Exploring the Latest Container Runtime Projects in the CNCF
The New Stack
41 Exploring the Future of the Kubernetes Ecosystem
Exploring the Future of the Kubernetes Ecosystem
The New Stack
42 Kubernetes and Continuous Deployment
Kubernetes and Continuous Deployment
The New Stack
43 Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
The New Stack
44 Docker's Quest for Simplicity with the Evolution of Containerd
Docker's Quest for Simplicity with the Evolution of Containerd
The New Stack
45 Developers First: The Cloud Foundry Service Broker API and Kubernetes
Developers First: The Cloud Foundry Service Broker API and Kubernetes
The New Stack
46 Mapping the Future of CoreOS's rkt in the CNCF
Mapping the Future of CoreOS's rkt in the CNCF
The New Stack
47 Red Hat and Dell EMC: Two Perspectives from DockerCon
Red Hat and Dell EMC: Two Perspectives from DockerCon
The New Stack
48 Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
The New Stack
49 SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
The New Stack
50 How Capital One Brings Open Source To The  Banking Industry
How Capital One Brings Open Source To The Banking Industry
The New Stack
51 OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
The New Stack
52 Dev Or Ops Doesn’t Matter, You Need Observability
Dev Or Ops Doesn’t Matter, You Need Observability
The New Stack
53 Taking The Next Steps In Developing An Open Source Culture
Taking The Next Steps In Developing An Open Source Culture
The New Stack
54 SXSW 2017: How Capital One Became Technology-First With Open Source
SXSW 2017: How Capital One Became Technology-First With Open Source
The New Stack
55 Apcera   Old Apps Spanning New Clouds
Apcera Old Apps Spanning New Clouds
The New Stack
56 Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
The New Stack
57 InSpec: Human Readable, Automated Compliance
InSpec: Human Readable, Automated Compliance
The New Stack
58 The Evolution of SAP HANA Express
The Evolution of SAP HANA Express
The New Stack
59 Women Engineers Who Inspire And Never Give Up
Women Engineers Who Inspire And Never Give Up
The New Stack
60 Three Perspectives on the Evolution of Container Security
Three Perspectives on the Evolution of Container Security
The New Stack

Related Reads

📰
The Minecraft anvil is a tree-cost optimization problem in disguise
Optimize tree costs in Minecraft using graph theory and algorithms, just like the anvil repair system
Dev.to · Mark
📰
KMP Algorithm (Knuth-Morris-Pratt): The Smart Way to Perform String Matching in O(N)
Learn the KMP algorithm for efficient string matching in O(N) time complexity and improve your coding skills
Dev.to · Jaspreet singh
📰
Every Backtracking Problem Is the Same Three Lines. I Just Couldn't See the Tree.
Master backtracking problems with a simple three-line approach to improve problem-solving skills in coding interviews and challenges
Dev.to · Alex Mateo
📰
DSA From Zero to Hero #3: Sliding Window (Fixed Size) Explained With a Java Example
Learn to solve subarray problems efficiently using the sliding window technique, a crucial skill for software engineers and data scientists
Medium · Programming
Up next
Stump Grinder Carbide Wheel Grinds Hardwood To Chips
Innoforge Studio
Watch →