Guy Podjarmy - Secure Node Code
-
Upload
devseccon-limited -
Category
Presentations & Public Speaking
-
view
79 -
download
3
Transcript of Guy Podjarmy - Secure Node Code
![Page 1: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/1.jpg)
Join the conversation #devseccon
Guy Podjarny, Snyk@guypod
Secure Node Code a.k.a. Stranger Danger
![Page 2: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/2.jpg)
snyk.io
About Me• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History: • Cyber Security part of Israel Defense Forces
• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
![Page 3: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/3.jpg)
snyk.io
Open Source Is AwesomeShare Your Work
Reuse What Others Built Focus on Creating Your Own New Thing
![Page 4: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/4.jpg)
snyk.io
Open Source Usage Has Exploded
![Page 5: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/5.jpg)
snyk.io
Open Source != SecureOpen Source != Insecure Either!
![Page 6: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/6.jpg)
snyk.io
Heartbleed
![Page 7: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/7.jpg)
snyk.io
Shellshock
![Page 8: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/8.jpg)
snyk.io
Logjam
![Page 9: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/9.jpg)
snyk.io
Attackers Are Targeting Open Source
One vulnerability, many victims
![Page 10: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/10.jpg)
snyk.io
~30% of Docker Hub images carry
Known Vulnerabilities High Priority known vulnerabilites, to be exact
Source: BanyanOps Analysis
![Page 11: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/11.jpg)
snyk.io
Docker Security
Ubuntu usn
Auto Sec Updates
Fedora yum security
Auto Sec Updates
![Page 12: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/12.jpg)
snyk.io
That’s OSS Binaries.What about OSS Packages?
![Page 13: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/13.jpg)
snyk.io
Just as Hacker-Friendly…1. Vulnerabilities already found, and found often 2. Used everywhere - Millions downloads/month, in many orgs 3. Hard to update, due to deps chains, breakage & scattered use
![Page 14: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/14.jpg)
snyk.io
Let’s pick on Node
![Page 15: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/15.jpg)
snyk.io
npm Is AWESOME
![Page 16: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/16.jpg)
snyk.io
>350,000 packages
~6B downloads/month >65,000 publishers
npm usage Has Exploded
![Page 17: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/17.jpg)
snyk.io
Your App
![Page 18: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/18.jpg)
snyk.io
Your Code
Your App
![Page 19: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/19.jpg)
snyk.io
JavaScript has Won
![Page 20: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/20.jpg)
snyk.io
Each Dependency Is A Security Risk
![Page 21: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/21.jpg)
snyk.io
Do You Know Which Dependencies
You Have?
![Page 22: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/22.jpg)
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?
![Page 23: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/23.jpg)
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it underwent any
Security Testing?
![Page 24: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/24.jpg)
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it has any
Known Vulnerabilities?
![Page 25: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/25.jpg)
snyk.io
Open Source is written by People
![Page 26: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/26.jpg)
snyk.io
Open Source is written by People
Strangers
![Page 27: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/27.jpg)
snyk.io
![Page 28: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/28.jpg)
snyk.io
![Page 29: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/29.jpg)
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they are
Malicious?
![Page 30: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/30.jpg)
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they’ve been
Compromised?
![Page 31: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/31.jpg)
snyk.io
It’s a BIG ProblemWith no single, silver bullet solution
![Page 32: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/32.jpg)
snyk.io
First Step: Known Vulnerabilites
![Page 33: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/33.jpg)
snyk.io
~14% of npm Packages Carry Known Vulnerabilities
~83% of Snyk users found vulns in their apps
Source: Snyk data, Oct 2016
![Page 34: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/34.jpg)
snyk.io
Software Supply ChainMandatory Josh Corman plug…
![Page 35: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/35.jpg)
snyk.io
1. How do I protect myself?
![Page 36: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/36.jpg)
snyk.io
1. How do I protect myself? 2. Can I learn from these vulns?
![Page 37: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/37.jpg)
snyk.io
Live Hacking Begins…
![Page 38: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/38.jpg)
snyk.io
JavaScript Takeaways• Consider all encodings
• Notably HTML & URL Encoding
• Better yet: Whitelist instead of Blacklist
• Prevent long algorithm runs • Control Regexp input lengths
• Don’t initialize Buffer with integers
• Beware JSON type manipulations
![Page 39: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/39.jpg)
snyk.io
OSS Package Vulns are the new
Unpatched servers
![Page 40: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/40.jpg)
snyk.io
Especially in Serverless/PaaS
https://snyk.io/blog/Serverless-Security-Vulnerabilities/
![Page 41: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/41.jpg)
snyk.io
OSS packages takeaway• Find vulnerabilities
• Be sure to test ALL your applications
• Fix vulnerabilities • Upgrade when possible, patch when needed
• Prevent adding vulnerable module • Break the build, test in pull requests
• Respond quickly to new vulns • Track vuln DBs, or use Snyk! </shameless plug>
![Page 42: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/42.jpg)
snyk.io
Not just Node/npmImpacts Open Source Packages, wherever they are
![Page 43: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/43.jpg)
snyk.io
Open Source Is Awesome
![Page 44: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/44.jpg)
snyk.io
Open Source Is AwesomePlease Enjoy Responsibly
![Page 45: Guy Podjarmy - Secure Node Code](https://reader031.fdocuments.net/reader031/viewer/2022021507/589ad09f1a28abc93a8b51b3/html5/thumbnails/45.jpg)
Join the conversation #devseccon
Thank You!
Guy Podjarny, Snyk@guypod