The Buzz at Node.JS Interactive
Skills:
Security Basics80%
Key Takeaways
Discusses Node.js security concerns and solutions at Node.JS Interactive conference
Full Transcript
[Music] [Music] so one using no GF I can't take the same general yeah some of the same general safety precautions are usually taken a when I'm working with what a web application web server so you do you know authentication keys make sure you do validation and and sprout a daily scrubbing and make sure that you're that you're at least using some kind of like encryption and decryption for any kind of data that's important that to go back and forth password hashing so these are all kind of like the general things you can i use for like when you're doing dealing especially with a authentication either if its user authentication or education between requests we use the standard express module for security and ND standard node modules and we seem to have we're fairly confident in than we know the node and express keep updating them as as longer will these are found and we were of the mindset that if there's a known vulnerability in a package so a couple of months ago there was a heartbeat attack and it turned out that we needed to upgrade Mongoose so we did that and rectify the situation but in general I think security is pretty much mindset and a company so kind of like what DevOps 50 common in the networking community I think security and I in a general company has to be in mind that we have processes in place and programs programming patterns that you follow in order to make your appt secure we use sneak to monitor the you know dependencies I think that it's becoming people are becoming more aware that not your application code but your dependencies are we're like slalom abilities can lie and even if you're aware of you know all the different types of vulnerabilities in your own code you probably not watching it closely for definir dependencies so having some sort of dependency management using something maybe like greenkeeper to keep your dependencies up to date so you don't fall victim to you know new vulnerabilities to come out they can they come out all the time I think that's pretty fair way to stay secure or at least reasonably secure and that's so we've we've been doing that at CFPB and it's worked out well so far I was one of the early adopters of no jails for years ago and back in the day the modules weren't as mature the frameworks wasn't as mature we have great tooling we have great support from big companies they hiring core contributors and relating people work on open thurs that's amazing that something we didn't have 20 years ago and people were working on Java gel with the mainstream right so I see it will only get better but suddenly the Rays works work to me and needs to be done [Music] our enterprise applications are primarily Python chillin and we're moving more towards web applications for enterprise and to get mobile apps out to our constituents so they can see things like consumption meter alerts outage information and to be able to create it back in like with node.js for instance have a women or whoever interface that takes it in and send that to a mobile application it's kind of what we're trying to go to right and obviously security is a big thing so when you got this board interfacing application security is a big thing so we did talk to some of the vendors here about that and monitoring performance but also security aspects of it there's those sneaky ways that people again I get past security that's already out there now it was really like this I want to call them deep and I guess we call them beat packers you like we just know these very particular security holes for example I never really thought much about regex denial of service until it came up and then when that came out it was like a light bulb went on my head and just like wow I never thought people that I can get through my system that way so it these are these things that's not very commonly talked to policy go to big conferences like these or just very more like a specialized kind of discussions and meetings [Music] one of the main concerns that we find with our clients is actually vetting modules because the ecosystem is vast it's been growing exponentially for several years over 200,000 modules of NPM and the question is which ones do you trust so one of the things that we do is we we help clients select the right modules for them and the modules that are by trusted sources so there's a lot of trust based mechanisms I think that it's sort of implicit and in a way that we work other than that the way that we really deal with security is actually at a talent level for us as a consultancy firm we try to hire the best from the brightest who all of these people are very proficient and aware of of security needs on top of that we do internal reviews as well to catch anything it might have fallen through the gaps beyond that though we always recommend that a client gets software this written by other and collaboration with us over anyone pen tested by a separate party there's the only real ways that you can have the sort of assurance and insurance I suppose for any any vulnerabilities just the platform judge the language by itself is not going to prevent developers from some lazy habits from not validating your data from not applying best practices right so the best framework in the world the best platform of the world's not going to prevent that so it's part that developers need to learn those practices I went to a couple good talks and security today and that's what we need to teach and we need to write more blog posts by them your website about that to someone my courses to educate people and also the not foundation they've been great job in transparent about security leaks right so they need to continue doing that every time there is sound vulnerability they have a patch relatively quick and a few hours right so that's important to keep that kind of emergency mode and quick attach things are friends not to keep it secret and let people know some companies they still run on old versions of note so like you're going 10 well it's not going to have all the security patches if something happens right so they need to keep updating because if you have that technical death of a couple years and then you jump from zero point 10 to version 60 version 8 which we'll have next year so that's a huge jump right a lot of code will break you cannot do that in two days [Music] give them a pleasure
Original Description
The new year brings to light continued discussions surrounding maintaining and ensuring the security of one’s Node.js-backed systems and applications. The recent Node.JS Interactive conference in Austin, Texas showcased not only how developers and organizations are putting Node.js to use in their own ecosystems, but highlighted some of the top security concerns and solutions teams have moving forward on Node.js.
On today's episode of The New Stack Makers, our video reporter, Norris Deajon, wandered the show floor to speak with attendees, who came in from companies such as InMotion, Highground, and Capital One.
Listen on SoundCloud: https://soundcloud.com/thenewstackmakers/the-buzz-at-nodejs-in-austin
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The New Stack · The New Stack · 30 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
▶
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
The New Stack
How Unikernels Can Better Defend against DDoS Attacks
The New Stack
Weaveworks is Bringing Horizontal Scaling to Prometheus
The New Stack
TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
The New Stack
How Rancher Labs is Seeing Kubernetes Put to Work in Production
The New Stack
SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
The New Stack
Event Marketing for Today's Developer Evangelists and Community Managers
The New Stack
NodeSource Introduces Certified Modules to Improve Node.js Security
The New Stack
How Lightstep is Illuminating the Case for Distributed Tracing
The New Stack
How OpenStack Aims to be More Inclusive without being Exclusive
The New Stack
How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
The New Stack
Creating Analytics-Driven Solutions for Operational Visibility
The New Stack
Understanding the Application Pattern for Effective Monitoring
The New Stack
Building On Docker's Native Monitoring Functionality
The New Stack
The Importance of Having Visibility Into Containers
The New Stack
How Getting Your Project in the CNCF Just Got Easier
The New Stack
Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
The New Stack
The Buzz at Tectonic Summit 2016 in New York City
The New Stack
Bringing Clarity to the Future of Node.js Modules
The New Stack
How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
The New Stack
Reshaping Front End Development with Warehouse.ai
The New Stack
2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
The New Stack
Here's Why You Should Build a Robot Using Node.JS: Because You Can
The New Stack
How the Node.js Foundation is Utilizing Participatory Governance Models
The New Stack
Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
The New Stack
Determining Who Bears the Burden of Ensuring NPM Module Security
The New Stack
How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
The New Stack
How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
The New Stack
Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
The New Stack
The Buzz at Node.JS Interactive
The New Stack
Why Going Serverless Doesn't Mean 'No Ops'
The New Stack
How Node.js is Transforming Today's Enterprises
The New Stack
JJ Asghar Interview
The New Stack
How Capital One is Using APIs to Streamline Auto Financing
The New Stack
SXSW 2017: How Machine Learning Differs From Regular Programming
The New Stack
SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
The New Stack
SXSW 2017: How Good Engineers Make Bad Business Decisions
The New Stack
CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
The New Stack
CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
The New Stack
Exploring the Latest Container Runtime Projects in the CNCF
The New Stack
Exploring the Future of the Kubernetes Ecosystem
The New Stack
Kubernetes and Continuous Deployment
The New Stack
Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
The New Stack
Docker's Quest for Simplicity with the Evolution of Containerd
The New Stack
Developers First: The Cloud Foundry Service Broker API and Kubernetes
The New Stack
Mapping the Future of CoreOS's rkt in the CNCF
The New Stack
Red Hat and Dell EMC: Two Perspectives from DockerCon
The New Stack
Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
The New Stack
SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
The New Stack
How Capital One Brings Open Source To The Banking Industry
The New Stack
OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
The New Stack
Dev Or Ops Doesn’t Matter, You Need Observability
The New Stack
Taking The Next Steps In Developing An Open Source Culture
The New Stack
SXSW 2017: How Capital One Became Technology-First With Open Source
The New Stack
Apcera Old Apps Spanning New Clouds
The New Stack
Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
The New Stack
InSpec: Human Readable, Automated Compliance
The New Stack
The Evolution of SAP HANA Express
The New Stack
Women Engineers Who Inspire And Never Give Up
The New Stack
Three Perspectives on the Evolution of Container Security
The New Stack
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
The Minecraft anvil is a tree-cost optimization problem in disguise
Dev.to · Mark
KMP Algorithm (Knuth-Morris-Pratt): The Smart Way to Perform String Matching in O(N)
Dev.to · Jaspreet singh
Every Backtracking Problem Is the Same Three Lines. I Just Couldn't See the Tree.
Dev.to · Alex Mateo
DSA From Zero to Hero #3: Sliding Window (Fixed Size) Explained With a Java Example
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI