NodeSource Introduces Certified Modules to Improve Node.js Security

Key Takeaways

I [Music] [Music] we like to thank note source response for our podcast from no Jas interactive in austin texas no source is the enterprise node company they're known for delivering enterprise-grade tools and software targeting the unique needs of running server side JavaScript at scale you can learn more about node source at node source com that's n OU de SA URC ecomme eight alex williams of the new stack here no Jas interactive in Austin I'm with dan shaw dan shaw is the CTO and founder co-founder founder those are accurate s we're two founders so excellent of note source and a company that we've been very interested in following and began your background is interesting and I thought the theme for our discussion today would be about really the past and the president looking forward you know with you know with a note community and you know I learned yesterday that you you spend time at Vox her right and boxer is I call it a walkie-talkie app yep right and one of my best friend Marshall Kirkpatrick and I box all the time right just love it no and you were saying that you when you joined a boxer they had 10 million users and by the time he left they were at 40 million right and you and you basically scaled it on a note yep all node up and down the entire stock no Jess base and what was your experience prior to that with them I mean how long have you been involved in the game uh so you know it's been around for you know just just around seven years yeah and you know I've been no community for about six six and a half years how did that start earlier days so for me the impetus for node is I was building out real-time applications I was building out applications that were being pulled from the front end from being pulled from the emerge at the time the emerging html5 spec and web sockets so looking for a back-end for those front-end services and you know how about how do I build that out how do i iterate there and how do I eventually create those experiences so doing that in Java and at the time jetty was the only option to do anything with WebSockets was cumbersome and painful and eventually when you because it's not web really it's not web and you're punching through a bunch of different abstractions to eventually you know deliver that that WebSocket experience you know that you're providing but it it took so much time and effort just to get the you know the foundation of that Java set up whereas really i just wanted to deal on a server they'll give me back that WebSocket just deal I want the interaction from that not the you know the service and at the time I switched over to I found node and you know a node-based WebSocket server and I was up in and iterating through the entire development lifecycle of what I was trying to create with node in a matter of moments so you know that that that really began to luminate to in my mind why node is you know the future why node is completely transforming how we develop software we're able to iterate on the back end and deliver those experiences rapidly and that has been you know the hallmark of everything that I've done since that's fascinating so when you were starting with the boxer and they were 10 million users what was the what was the platform at the time so node and we removed from a soft layer over to to join on the smart OS so you know we moved our operating system that was a deal that was a big challenge we probably got more of a surprise than we expected changing from the next two to solaris based operating system but you know we were absolutely just you know hockey sticking and needed a service provider that was able to provide the insight into to you know what was going on in node this is you know zero dot 620 dot eight days and boxer in there that position of being you know the high-growth company that that was was actually breaking note though you know voxer really was that your the staging ground for so many of the finding the edge cases then you only find at extreme throughput extreme traffic lots of users and so it was great to have van canto and Brendan Greg you know able to look deep in in denote and help us Wow with that so that was that was incredibly powerful for us you asked earlier about you know how we how we orchestrated that Howie how were yeah you took these thousands upon thousands of servers and you know manage that were able to manage that as a coherent whole and you know at that time there really wasn't much in the way of orchestration we were able to take and automate things they are first out of bash scripts and then eventually into chef and take away the burden of provisioning machines largely but we still had to orchestrate over the top and you know do a bunch of essentially bash scripting you know bash scripts at scale to orchestrate the entire platform be able to create the commands that do all of the the orchestration and you know I look at you know that four years ago and today the fact that we can plug into you know containerisation where we abstract away and we eliminate a large portion of our operating system concerns or we can you know at least lock that down and have that you know assess secured and you know it be completely repeatable and those containers then can plug into some very rich orchestration frameworks you know the leader right now is Cooper Nettie's and and I think the heir apparent to the orchestration platforms so being able to you know have well-defined well SPECT orchestration of all of these services it's night and day yeah we had to put a lot of effort into that and today it makes sense to you know put that into Cooper Nettie's and you know scale up scale down it's just much more logical and more maintainable fit for addressing this disaster that's really interesting because that gets to the heart of why microservices Denver really took off at a time because if only a very few people really were able to actually understand how to do that right but and so obviously then you had a very mind you you know you know community right yeah but in the process that note community was was starting to grow tremendously right and he had these modules that were just starting to like mushroom right right right you know everyone could have a module essentially right and so that really was kind of like you can kind of trace back kind of the roots of micro services to that era and if you look at kind of like the API ecosystem that was emerging at the time and then you look at you know when you start to see the platform as a service market of all right then you saw you know Solomon starting to think about you know you know soccer and like you know and it's all I'm a good friend of mine and you know back in the dot tap cloud days we spent a lot of time together yeah and you know I was a huge fan of the dot cloud system and you know how they'd built the the underlying orchestration yeah you know really glad to see that you know kind of be iterated on and you know brought into into what we know today is dr. yeah I wrote about doc cloud when they launched and followed it and always was you know fan of Solomon and then then he took it to the whole nother level yeah and I i love the premise that Solomon has Solomon it believes that you know we should be programming the internet right you know and then if we're going to be programming the internet then we really need to be thinking about how to make it as easy as possible for people to develop and program you know anything and today now we're kind of like you know at the point where node is pretty well established yep it's the default it's the de facto run time for server list it's the fact of run time and you know many of your crew benetti's and micro servers architectures you know it fits the evolving service architectures that we have today you know like a glove so you know it is is a perfect match for smaller faster more yeah and you know if you look at what we're doing at the macro technology level you know there's a lot of that smaller faster more yeah smaller faster more is great so you know in interesting learning that that comes out of that that boxer experience and that ties forward to the products that we've built at note source one pain point is if you are building out a lot of customization on node that over time becomes brittle so you know using node and you know building on the platform is great but a forking node and you know taking you know the talent that can you know have the ability to go in and and work on node and to you know make the changes that the the operating level I've seen that especially in that that era I saw that play out repeatedly where it you know it accelerated innovation for very short amount of time and then became a burden as the platform continue to evolve and looking at that and you know seeing the needs of the enterprise users and your corporate users to to you know have an impact on though to need to extend node in in ways that suit the needs of the enterprise that is fundamentally with and our n solid product you know what we provide into the ecosystem we have a commercial offering that enables you know customers to have a secure reliable and extensible platform to build upon so you know that that you know that really interesting a failure point of you know it gets it hard if you've gone in and taken the you know the general trend the broader macro trend and forked it and like I need to go do this you know in my way if you aren't able to do continuously align back with the broader trend of the ecosystem you're going to get into you know a challenging spot that is so interesting because you you know because you look at the nodes tremendous growth but it was taking forever to like you know to agree on what was one point out for example did right and so then there was then there was that fork in the community right right right right and we came then together back with this with foundation where they are now there's so many lessons to be learned out of that yeah cuz there's a healthier ecosystem now is there so fantastic know the it is the example of no jazz in open source is you know a unique one of you know the tradition of forking ecosys like you look at the Linux ecosystem and you know we have a distribution that you know can drop in and you know run on to being or red hat bae systems and you know just have your node runtime pulled down and off you go and if it plugs it into appt get and you know it's easily facilitated but we're constantly getting pinged about Oh could you support you know this you know other direct of your linux things it's you know really you've gone in these you know very specialized directions and you know there's not a lot of you know coming back in sinking but you know as an open source project node coming together and from the i Jes project and in coming back to miss a single project is unique you know moment in an open source history and then you know to see how much our contributor ship has grown how much the you know how much more code were shipping you know the early on and no shipping the four-point-oh releases you know there was a bit of a concern where he had to kind of gate all of the the activity so you know folks weren't you know there's another node release you know today there was one yesterday and you know yes you know getting all that code with all the the contributors throughout the world you know landed and and shipped you know there's just so much contribution so much engagement with the node.js platform and we're so much stronger now you know together in the know Jess foundation it's a really great example of how open source is is changing and you know it's a different landscape and it's become the status quo and you know it's it's really turned into you know a positive way for us to to aggregate and to work together so there's some there's some similarities between for example the note community in the docker community yep and I think the greatest similarity is in just that user base but right up you know the overlaps the melon developers in the right who just are like consuming it at this you know at this this pace at where we all Marvel out right and note made it through this process right you know I think that the challenge that you I think face and that the community faces overall is and how do you keep that user participation you know how do you keep the user involved because there's now much more corporate interest to developer tool ecosystem out there that it hasn't been interested in it as well absolutely that seems to be a similar challenge that the docker and container he goes to some days too big interest in darker and containers right you can system kind of like a almost like like a more metaphorical fork than anything else right you know the community has kind of moved in different directions without a doubt but you know and the note community is gonna be intersecting more with a docker and creators community more and more than they do now right how are you making sense of that how are you like thinking that through and like what are some of the conversations that you know that you would you like to have people about these outwards know so you know the the nice thing about that is you know we were all three of those major groups you cloud so there's no J's foundation the cloud native computing foundation and the container five the names the container by duplicating foundation there's a super day which is Casilla which is Cooper Nettie's but and there's oci which is more about the image format a runtime right right go yep those are the two major ones so the open container initiative right here initially yeah and so those all are actually uh you know sort of collaborative projects for the Lunik foundation so we have shared interests and shared infrastructure to actually begin collaborating so it's something that I've been working with the note just foundation to you know see edit edit found these you know these broader shared interests touch points so the great thing about you know being in the foundation and you know having the foundation you know as the backdrop and as you know the support infrastructure is you know that when we come to the foundation we know that this is the shared playing field this is the broader market and we're able to interact an interface in a different way than we would approach each other as companies so it's a great facilitator for you know making sure that that the technology ecosystem that were collaborating and improving the technology goo system and I really see more collaboration amongst those organizations and you know looking at you know defining and building out specs and system architectures that trip triangulate all the way through all of those experiences because you know that that's essentially the DevOps experience of you know your no jest developer today is you know going to be running node in a container with an orchestration platform there's increasingly Cooper Nettie's that's so fascinating right now it's so interesting so in the process you know is no towards the company you know tell us about a note source you know what it's doing now how your how you kind of envisioning your cell is kind of in this in this world you know moving forward you made an announcement yesterday right you know perhaps you could talk about about that in the context of the direction you're taking notes ores and what you see how is see fitting into the overall community right so no tours Eden's inception was you're really drawn there the creation of note source was drawn by interest in especially in the enterprise ecosystem for a no jazz vendor you know but my business partner I Joe McCann were working with enterprise companies and we kept hearing you know where's the node company where's the you know we're building five to ten year business plans on this technology and we want to know that there's a vendor out there that you know is going to be providing the the tools and services that we need to build with confidence on unknown so that's why we created a note source and in building out our product roadmap we looked at where the biggest customer pain that we heard from and across the board it was we have DevOps tooling an infrastructure to you know build you know architectures and you know make sure that we're you know having the same level of security and compliance that we have in our Java and.net infrastructure and you know our DevOps teams don't have the tools they need to accomplish the work that they they have in front of them so no Jess developers were producing and you know incredibly productive with no jazz and then we see this pattern of you know all right now what like how do we really take this and operationalize this at scale and you know so that that is what we addressed out of the gate with our flagship product inside n solid is a commercial run time for you know built on nodejs that that delivers secure reliable extensible infrastructure for DevOps teams to be able to to run mode to be able to do so with confidence and to be able to plot apply security policy to there no jazz infrastructure in the same ways that they're used to and that they're used to being able to interact and extend the platform so yeah so now that with that then with your recent announcement then that fits into yeah it is evident that fits into this all kind of belief and operationalizing is scanned for a tional izing so you know that that is you know that has been our primary an anchor product over the past year we've been hearing this new challenge so you know new source uh you know addressed the runtime problem and you know it's constantly working to improve that too you know lead with customer feedback and provide the capabilities that customers a man but beyond the the runtime level beyond the the need for how do we run node we kept hearing over the past year wow you know that the the no jeaious module ecosystem is so huge like where do we begin what you know there's nearly 400,000 packages in the NPM registry like what are the good ones like we're trying to build our software we're not trying to you know solve boil the ocean solve all all of you know the problems of the know Jesse go system like notes or give us an answer to how do we choose the best packages that that are the right components that that fit into our the applications we're building so that coupled with you know the operating pain felt across the world when pad incident occurred so you know seeing a moment where you know this upstream dependency led to build failures he had you know build at Facebook Netflix and others that were blocked for like a day which is an eternity and you know continuous delivery cic deed world that still has no material impact with that and you know that's money right so you know customers coming in asking no please we need an answer for to this we want to do be able to have that same no trust in reliance in the third party javascript is a rich ecosystem of building blocks that we can work with we want to be able to work with the best and we want to be protected with how we do that so yesterday at noches interactive here in austin texas we announced notes or certified modules and notes are certified modules is note sources answer to how you are managing all of that complexity and you know the vast ecosystem of modules that are available how do you select quality how do you know that they're those modules are secure that you're protected and that you're working with infrastructure that is going to you know address the needs of you know organizations that I increasingly have to live a velocity that can't stop and very excited to be rolling that out the the demand for it has been incredible so our booth has been packed and sign up at certified node source com has been really you know outpacing anything that we had hope we knew that there was a strong customer demand but you know there's really been an incredible flood of interest and you touched a nerve touch real pain and you know delivering the solutions that really you know if you look at what note source is done now we have the runtime story with our n solid product and now we have the dependency story that you know that that's the full picture with ojs when you get no Jess out of the box you have a runtime and you're building with these dependencies that you know we really have a much more functional and you know component lead ecosystem in JavaScript that you know it's different it's it's very different from you know how we interacted with dependencies in Java a much smaller you know much more capable of composition so you have smaller units that can more meaningfully be composed together and accelerating development with with all those options and but you know you need a way to wrap your arms around it and make sure that that you really have a handle on you know that that that's what just more there's just more of it so you know how do you how do you get your arms around it how do you know that your your doing the right thing our answer is notes are certified models that's great Dan very interesting that that last part on the capability of composition is interesting to me I mean that gets to the heart of continuous delivery the ability to actually view microservices you'll be able to trust what's upstream being able to understand what's upstream and and then using it for you know for your enterprise right everything else so thank you very much for taking some time to talk and we look forward to keeping in touch in this new year it's good a lot going on i'm looking forward to thank allah thanks you should we like to thank note source responsible for our podcast from kno jes interactive in austin texas note source is the enterprise node company they're known for delivering enterprise-grade tools and software targeting the unique needs of running server side JavaScript at scale you can learn more about node source at node source com it's n OU de SA urc e com you