Node Day - Node.js Security in the Enterprise

•

4 gostaram•8,052 visualizações

Adam Baldwin

Adam Baldwin talks about Node.js security in the enterprise for Node Day 2014 hosted at PayPal

Tecnologia

@adam_baldwin
@liftsecurity
@nodesecurity
@evilpacket

Enterprise Security in 3 min
Protect what makes you money
Availability is security
Measure & Iterate
It's not about the vulnerability
You will screw it up anyway

What this talk is about
Being informed & Prepared
!

The node security landscape
!

It's all node's fault

Understand what the
enterprise cares about,
then do better.

The enterprise should
understand you and do
better.

nodejs-sec announcements
https://groups.google.com/forum/#!forum/nodejs-sec

Understanding the
node.js security
landscape

The Enterprise
is responsible
for what you
require()

npm shrinkwrap
POST

/validate/shrinkwrap

GET

/validate/:module_name/:version

npm shrinkwrap example
curl -X POST https://nodesecurity.io/
validate/shrinkwrap -d @npmshrinkwrap.json -H "content-type:
application/json"

retire.js
Scan a web app or node app for
use of vulnerable JavaScript
libraries and/or node modules.

http://bekk.github.io/retire.js/

What is the greatest
vulnerability that you have
in the enterprise?

Blame Node.
It's just how we do things.™

</PRESENTATION>
@adam_baldwin | @LiftSecurity

Mais conteúdo relacionado

Mais procurados

WAF In DevOps DevOpsFusion2019Franziska Buehler

Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv

Wordpress securityMehmet Ince

Bypassing cisco’s sourcefire amp endpoint solution – full demoRajivarnan R

SSL Pinning and Bypasses: Android and iOSAnant Shrivastava

5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan

Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava

Web Application firewall-Mod securityRomansh Yadav

Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research

Ruby and Framework SecurityCreston Jamison

Quick Tips for Server SecurityAlister Loxton

Apache Struts2 CVE-2017-5638Riyaz Walikar

Dont run with scissorsMorgan Roman

Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen

Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava

opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner

Slides null puliya linux basicsAnant Shrivastava

Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı

Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak

Mais procurados (20)

WAF In DevOps DevOpsFusion2019

Software Supply Chain Security та компоненти з відомими вразливостями

Wordpress security

Bypassing cisco’s sourcefire amp endpoint solution – full demo

SSL Pinning and Bypasses: Android and iOS

5 Bare Minimum Things A Web Startup CTO Must Worry About

Null bhopal Sep 2016: What it Takes to Secure a Web Application

Web Application firewall-Mod security

Tools & techniques, building a dev secops culture at mozilla sba live a...

Ruby and Framework Security

Quick Tips for Server Security

Apache Struts2 CVE-2017-5638

Dont run with scissors

Emerging Trends in Cybersecurity by Amar Prusty

WordPress security 101 - WP Jyväskylä Meetup 21.3.2017

Tale of Forgotten Disclosure and Lesson learned

opensuse conference 2015: security processes and technologies for Tumbleweed

Slides null puliya linux basics

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

Web Uygulama Güvenliği (Akademik Bilişim 2016)

Destaque

ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...Cyber Security Alliance

Security First - Adam BaldwinAdam Baldwin

Continuous SecurityAdam Baldwin

302 Content Server Security Challenges And Best Practicesphanleson

Top 10 web server security flawstobybear30

Web server security challengesMartins Chibuike Onuoha

Secure Node Code (workshop, O'Reilly Security)Guy Podjarny

Web Server Security Guidelineswebhostingguy

F-Secure E-mail and Server SecurityF-Secure Corporation

Web Server Web Site SecuritySteven Cahill

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

Continuous Security - Thunderplains 2016Adam Baldwin

Урок - 9, 27 февраля, 2016Burac Constantin

Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersTraction Conf

Três porquinhosjardiminfanciasilgueiros

Leidy carvajal actividad 1.2 mapa cLeidy Carvajal

Romeo and julietMike Smith

Tuomas_JokimakiTuomas Jokimäki

Sexy HTML with Twitter BootstrapKarthik Gaekwad

Destaque (19)

ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...

Security First - Adam Baldwin

Continuous Security

302 Content Server Security Challenges And Best Practices

Top 10 web server security flaws

Web server security challenges

Secure Node Code (workshop, O'Reilly Security)

Web Server Security Guidelines

F-Secure E-mail and Server Security

Web Server Web Site Security

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Continuous Security - Thunderplains 2016

Урок - 9, 27 февраля, 2016

Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers

Três porquinhos

Leidy carvajal actividad 1.2 mapa c

Romeo and juliet

Tuomas_Jokimaki

Sexy HTML with Twitter Bootstrap

Semelhante a Node Day - Node.js Security in the Enterprise

JSConfBR - Securing Node.js App, by the community and for the community David Dias

Cloud Security Engineer Interview Questions.pdfInfosec Train

Cloud Security Engineer Interview Questions.pdfinfosec train

How to secure web applicationsMohammed A. Imran

Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174

Config Management Camp 2017 - If it moves, give it a pipelineMark Rendell

Cloud, DevOps and the New Security PractitionerAdrian Sanabria

Academy PRO: Node.js in production. lecture 4Binary Studio

Shifting security to the left with kubernetes, azure, and istioChristian Melendez

Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman

Automotive Cybersecurity: Test Like a HackerForAllSecure

Making Security Agile - Oleg GrybSeniorStoryteller

Common mistake in nodejsNguyen Tran

Agility Requires SafetyYevgeniy Brikman

3.Secure Design Principles And Processphanleson

Biggest info security mistakes security innovation inc.uNIX Jim

Total Defense Product InformationZeeshan Humayun

Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software

Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon

AppSec California 2016 - Making Security AgileOleg Gryb

Semelhante a Node Day - Node.js Security in the Enterprise (20)

JSConfBR - Securing Node.js App, by the community and for the community

Cloud Security Engineer Interview Questions.pdf

How to secure web applications

Chapter 5Overview of SecurityTechnologiesWe can’t h

Config Management Camp 2017 - If it moves, give it a pipeline

Cloud, DevOps and the New Security Practitioner

Academy PRO: Node.js in production. lecture 4

Shifting security to the left with kubernetes, azure, and istio

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

Automotive Cybersecurity: Test Like a Hacker

Making Security Agile - Oleg Gryb

Common mistake in nodejs

Agility Requires Safety

3.Secure Design Principles And Process

Biggest info security mistakes security innovation inc.

Total Defense Product Information

Prevent Getting Hacked by Using a Network Vulnerability Scanner

Nick Drage & Fraser Scott - Epic battle devops vs security

AppSec California 2016 - Making Security Agile

Mais de Adam Baldwin

Attacking open source using abandoned resourcesAdam Baldwin

JavaScript Supply Chain SecurityAdam Baldwin

Building a Threat Model & How npm Fits Into ItAdam Baldwin

Hunting for malicious modules in npm - NodeSummitAdam Baldwin

Node Security Project - LXJS 2013Adam Baldwin

JSConf 2013 Builders vs BreakersAdam Baldwin

EV1LSHA - Misadventures in the land of LuaAdam Baldwin

Writing an (in)secure webapp in 3 easy stepsAdam Baldwin

Pony Pwning Djangocon 2010Adam Baldwin

Mais de Adam Baldwin (9)

Attacking open source using abandoned resources

JavaScript Supply Chain Security

Building a Threat Model & How npm Fits Into It

Hunting for malicious modules in npm - NodeSummit

Node Security Project - LXJS 2013

JSConf 2013 Builders vs Breakers

EV1LSHA - Misadventures in the land of Lua

Writing an (in)secure webapp in 3 easy steps

Pony Pwning Djangocon 2010

Último

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

Histor y of HAM Radio presentation slidevu2urc

IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge

08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

Artificial Intelligence: Facts and MythsJoaquim Jorge

Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal

Scaling API-first – The story of a global engineering organizationRadu Cotescu

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG

The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad

A Domino Admins Adventures (Engage 2024)Gabriella Davis

Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech

Boost PC performance: How more available memory can improve productivityPrincipled Technologies

How to convert PDF to text with Nanonetsnaman860154

🐬 The future of MySQL is Postgres 🐘RTylerCroy