Ensuring a Node.js application is secure all the way through is not a simple, one-time task. In this month’s Need to Node with Guy Podjarny, CEO of Snyk, and Dan Shaw, CTO of NodeSource, we got an overview of a few Node.js module vulnerabilities, and how we can make security with Node.js easier with NodeSource N|Solid and Snyk.

Top 3 Takeaways

• Despite a suite of C++ dependencies, Node.js app vulnerabilities most frequently come from app code.

• Security vulnerabilities can and do affect widely-depended upon packages.

• There are two simple paths to secure Node.js applications, from NodeSource and Snyk.

Video

Webinar Recap

Node.js has a suite of low-level C++ bindings, including V8, libuv, and OpenSSL. That said, the vast majority of security vulnerabilities come from application code. More specifically, it comes from application dependencies.

Goof is a small TodoMVC application built by the Snyk team. It has a suite of modules that can be exploited, with instructions on how to do so in the repo.

Some common and dangerous vulnerabilities that have popped up in very frequently depended-upon packages like the mongoose Node.js library for MongoDB, the ms millisecond conversion utility, and Dust.js - with pretty severe vulnerabilities, like buffer overflows, Regular Expression Denial of Service (ReDos) attacks, and code injection.

Both N|Solid and Snyk help address severe security issues like these. N|Solid allows you to monitor your dependencies for security vulnerabilities in production, with automated alerts notifying you when a vulnerability in one of those production dependencies is found. Additionally, N|Solid has a suite of other security-focused features, including while

Snyk allows you to check against your repositories to see if you’re using any vulnerable packages, and let you know the severity of the vulnerabilities if any are found. Snyk also enables you to fix vulnerabilities via an automatically submitted PR, either with an updated version of your dependency, or with a direct code patch to your project. You can integrate Snyk into your CI/CD, PR tests, Slack team, and via the Snyk CLI.

Resources

• Take a look at N|Solid to learn more about its security features

• Check out Snyk, to check your repos for vulnerabilities and see how to integrate

• Details about the PayPal Dust.js vulnerability

• Node.js Zero Fill Buffer PR

Who to Follow

• Dan Shaw - NodeSource CTO

• Guy Podjarny - Snyk CEO

• Rod Vagg - NodeSource Chief Node Officer

• Danny Grander - Snyk Co-founder & Security