SlideShare a Scribd company logo

Node Security Project - LXJS 2013

Adam Baldwin
Adam Baldwin
TechnologyBusiness
1 of 41
Download to read offline
Wednesday, October 2, 13
Hi, I’m Adam Wednesday, October 2, 13
Hi, I’m Adam @adam_baldwin @liftsecurity @nodesecurity Wednesday, October 2, 13
Hi, I’m Adam @evilpacket Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Node Security Project Wednesday, October 2, 13
Why Wednesday, October 2, 13
•precommit-hook for linting •pull requests for peer review •education / values Things we had control over Wednesday, October 2, 13
•other peoples code •the delivery system (npm) Things we didn’t have control over Wednesday, October 2, 13
npm install altlhethings Wednesday, October 2, 13
npm install fs Wednesday, October 2, 13
npm install http Wednesday, October 2, 13
npm install socketio Wednesday, October 2, 13
404 Wednesday, October 2, 13
~/analyzer$ node print.js ./output/output.json buffer: 604 child_process: 2867 dgram: 836 dns: 674 fs: 15036 http: 12084 https: 2819 os: 1311 readline: 909 string_decoder: 65 timers: 230 tty: 335 vm: 354 Wednesday, October 2, 13
•Core modules.... •Punctuation is hard •Improve integrity checking Conclusions Wednesday, October 2, 13
Wednesday, October 2, 13
How Wednesday, October 2, 13
nodesecurity.io/contributors Wednesday, October 2, 13
New Process Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
child_process.exec [pid 31152] execve("/bin/sh", ["/bin/sh", "-c", "ls"] child_process.execFile [pid 31176] execve("/bin/ls", ["/bin/ls"] Wednesday, October 2, 13
Wednesday, October 2, 13
Catalyst for Change Wednesday, October 2, 13
Improved Resources Wednesday, October 2, 13
Private issues & Pull Requests Wednesday, October 2, 13
“I wish @github had private issues and pull requests for open source projects to improve responsible disclosure of security issues! Please RT” j.mp/lxjs-nsp Wednesday, October 2, 13
nodeschool.io Wednesday, October 2, 13
security.md Wednesday, October 2, 13
github.com/nodesecurity Wednesday, October 2, 13
</presentation> @adam_baldwin @liftsecurity @nodesecurity @evilpacket Wednesday, October 2, 13

Recommended

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Agile Software Process Improvement
Agile Software Process ImprovementAgile Software Process Improvement
Agile Software Process Improvement
יהושע קליין
 
Benefits of Agile Software Development for Senior Management
Benefits of Agile Software Development for Senior ManagementBenefits of Agile Software Development for Senior Management
Benefits of Agile Software Development for Senior Management
David Updike
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answers
WhitneyHouston012
 
Test Process Improvement
Test Process ImprovementTest Process Improvement
Test Process Improvement
Momentum NI
 
Cooking an Omelette with Chef
Cooking an Omelette with ChefCooking an Omelette with Chef
Cooking an Omelette with Chef
ctaintor
 
Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...
NETWAYS
 
Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...
Puppet
 

Recommended

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Agile Software Process Improvement
Agile Software Process ImprovementAgile Software Process Improvement
Agile Software Process Improvement
יהושע קליין
 
Benefits of Agile Software Development for Senior Management
Benefits of Agile Software Development for Senior ManagementBenefits of Agile Software Development for Senior Management
Benefits of Agile Software Development for Senior Management
David Updike
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answers
WhitneyHouston012
 
Test Process Improvement
Test Process ImprovementTest Process Improvement
Test Process Improvement
Momentum NI
 
Cooking an Omelette with Chef
Cooking an Omelette with ChefCooking an Omelette with Chef
Cooking an Omelette with Chef
ctaintor
 
Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...
NETWAYS
 
Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...Building scalable applications while scaling your infrastructure by rhommel l...
Building scalable applications while scaling your infrastructure by rhommel l...
Puppet
 
Scaling Deployment at Etsy
Scaling Deployment at EtsyScaling Deployment at Etsy
Scaling Deployment at Etsy
Daniel Schauenberg
 
Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013
Ptah Dunbar
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
Pablo Godel
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
Rob Spieldenner
 
App to App: Design and Surface Local APIs
App to App: Design and Surface Local APIsApp to App: Design and Surface Local APIs
App to App: Design and Surface Local APIs
Ty Smith
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless Deployments
Zack Smith
 
Node Tools For Your Grails Toolbox - Gr8Conf 2013
Node Tools For Your Grails Toolbox - Gr8Conf 2013Node Tools For Your Grails Toolbox - Gr8Conf 2013
Node Tools For Your Grails Toolbox - Gr8Conf 2013
zanthrash
 
Internet primer or Internet for Dummies (for Filipino women)
Internet primer or Internet for Dummies (for Filipino women)Internet primer or Internet for Dummies (for Filipino women)
Internet primer or Internet for Dummies (for Filipino women)
Eric Clark Su
 
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Puppet
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
Julian Dunn
 
Ilugc curl
Ilugc curlIlugc curl
Ilugc curl
Akilan Ram
 
Chef - Configuration Management for the Cloud
Chef - Configuration Management for the CloudChef - Configuration Management for the Cloud
Chef - Configuration Management for the Cloud
James Casey
 
Practical mitm for_pentesters
Practical mitm for_pentestersPractical mitm for_pentesters
Practical mitm for_pentesters
Jonathan Cran
 
Expressjs basic to advance, power by Node.js
Expressjs basic to advance, power by Node.jsExpressjs basic to advance, power by Node.js
Expressjs basic to advance, power by Node.js
Caesar Chi
 
Proyecto OP^2: Open Pi Phone
Proyecto OP^2: Open Pi PhoneProyecto OP^2: Open Pi Phone
Proyecto OP^2: Open Pi Phone
Saúl Ibarra Corretgé
 
Slaying Bugs with Gradle and Jenkins
Slaying Bugs with Gradle and JenkinsSlaying Bugs with Gradle and Jenkins
Slaying Bugs with Gradle and Jenkins
David Kay
 
ADAM
ADAMADAM
ADAM
Matt Massie
 
CPANci: Continuous Integration for CPAN
CPANci: Continuous Integration for CPANCPANci: Continuous Integration for CPAN
CPANci: Continuous Integration for CPAN
Mike Friedman
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
Adam Baldwin
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
Adam Baldwin
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
Adam Baldwin
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
Adam Baldwin
 

More Related Content

Similar to Node Security Project - LXJS 2013

Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013
Ptah Dunbar
 
App to App: Design and Surface Local APIs
App to App: Design and Surface Local APIsApp to App: Design and Surface Local APIs
App to App: Design and Surface Local APIs
Ty Smith
 
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Puppet
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
Julian Dunn
 
Practical mitm for_pentesters
Practical mitm for_pentestersPractical mitm for_pentesters
Practical mitm for_pentesters
Jonathan Cran
 

Similar to Node Security Project - LXJS 2013 (18)

Scaling Deployment at Etsy
Scaling Deployment at EtsyScaling Deployment at Etsy
Scaling Deployment at Etsy
 
Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013Unit testing like a pirate #wceu 2013
Unit testing like a pirate #wceu 2013
 
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
PHP Conference Argentina 2013 - Independizate de tu departamento IT - Habilid...
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
 
App to App: Design and Surface Local APIs
App to App: Design and Surface Local APIsApp to App: Design and Surface Local APIs
App to App: Design and Surface Local APIs
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless Deployments
 
Node Tools For Your Grails Toolbox - Gr8Conf 2013
Node Tools For Your Grails Toolbox - Gr8Conf 2013Node Tools For Your Grails Toolbox - Gr8Conf 2013
Node Tools For Your Grails Toolbox - Gr8Conf 2013
 
Internet primer or Internet for Dummies (for Filipino women)
Internet primer or Internet for Dummies (for Filipino women)Internet primer or Internet for Dummies (for Filipino women)
Internet primer or Internet for Dummies (for Filipino women)
 
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
Releasing Puppet: Automating Packaging for Many Platforms or 'Make all the th...
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
 
Ilugc curl
Ilugc curlIlugc curl
Ilugc curl
 
Chef - Configuration Management for the Cloud
Chef - Configuration Management for the CloudChef - Configuration Management for the Cloud
Chef - Configuration Management for the Cloud
 
Practical mitm for_pentesters
Practical mitm for_pentestersPractical mitm for_pentesters
Practical mitm for_pentesters
 
Expressjs basic to advance, power by Node.js
Expressjs basic to advance, power by Node.jsExpressjs basic to advance, power by Node.js
Expressjs basic to advance, power by Node.js
 
Proyecto OP^2: Open Pi Phone
Proyecto OP^2: Open Pi PhoneProyecto OP^2: Open Pi Phone
Proyecto OP^2: Open Pi Phone
 
Slaying Bugs with Gradle and Jenkins
Slaying Bugs with Gradle and JenkinsSlaying Bugs with Gradle and Jenkins
Slaying Bugs with Gradle and Jenkins
 
ADAM
ADAMADAM
ADAM
 
CPANci: Continuous Integration for CPAN
CPANci: Continuous Integration for CPANCPANci: Continuous Integration for CPAN
CPANci: Continuous Integration for CPAN
 

More from Adam Baldwin

JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs Breakers
Adam Baldwin
 

More from Adam Baldwin (14)

Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
Security First - Adam Baldwin
Security First - Adam BaldwinSecurity First - Adam Baldwin
Security First - Adam Baldwin
 
JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs Breakers
 
EV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaEV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of Lua
 
Writing an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy stepsWriting an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy steps
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Node Security Project - LXJS 2013