Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping JavaScript safe

C J Silverio
October 04, 2017
Programming
3
400

Keeping JavaScript safe

Security & the npm registry. Presented at Node Interactive 2017 in Vancouver.

C J Silverio

October 04, 2017
Tweet

More Decks by C J Silverio

See All by C J Silverio
The economics of package management
ceejbot
4
1.5k
The future of (javascript) modules (in node)
ceejbot
1
270
ceej's how to solve it
ceejbot
6
760
work-life balance at npm
ceejbot
5
780
hash functions and you!
ceejbot
2
340
The accidental noder
ceejbot
2
140
Design Patterns & Modularity in the npm Registry
ceejbot
3
180
Monitoring on a budget
ceejbot
2
280
Cheating Gall's Law: MediterraneaJS edition
ceejbot
4
330

Other Decks in Programming

See All in Programming
Amazon Qを使ってIaCを触ろう!
maruto
0
410
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
初めてDefinitelyTypedにPRを出した話
syumai
0
410
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
Macとオーディオ再生 2024/11/02
yusukeito
0
370
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
130
Jakarta EE meets AI
ivargrimstad
0
630
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
250
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
KATA
mclloyd
29
14k
How GitHub (no longer) Works
holman
310
140k
Practical Orchestrator
shlominoach
186
10k
Become a Pro
speakerdeck
PRO
25
5k
Music & Morning Musume
bryan
46
6.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Art, The Web, and Tiny UX
lynnandtonic
297
20k

Transcript

  1. keeping javascript safe

  2. keeping javascript safe security & the npm registry

  3. C J Silverio CTO @ npm, @ceejbot

  4. using node since 2011 node has grown up!

  5. running npm's registry since 2014 npm has grown up too!

  6. the story of the npm registry mirrors the story of

    node

  7. npm is infrastructure for millions of developers

  8. npm dependably serves node packages 24/7 around the world

  9. Fortune 100 companies depend on npm & node

  10. 3 billion downloads/week 9 million users 156K package authors (1.7%)

  11. npm has as many users as the New York City

  12. it didn't start that way

  13. in 2009, node & npm's users knew each other by

    name

  14. the npm registry is now too large to depend on

    community policing

  15. but you need that policing

  16. you rely on the packages you install

  17. questions you ask 1. Is the registry secure? 2. Does

    this package have vulnerabilities? 3. Is this package malware? 4. Who published this package?

  18. 1. Is the registry secure?

  19. What does secure mean? registry systems can't be broken into

    data can't be tampered with

  20. we don't try to do this alone ongoing contract with

    ^Li!

  21. this guy, Adam Baldwin (he'll come up again) & his

    colleagues

  22. periodic pen testing ongoing code reviews

  23. good security practices are on-going work

  24. 2. Does this package have vulnerabilities?

  25. our friends at ^Li! again as the Node Security Platform

  26. NSP reviews popular packages, reports vulnerabilities, & handles reports

  27. h!ps://nodesecurity.io

  28. early access NSP data is integrated into npm enterprise

  29. newsflash! npm is a company that sells services!

  30. npm enterprise is a registry inside your firewall

  31. NSP keeps us informed we keep them informed in turn

  32. 3. Is this package malware?

  33. malware doesn't advertise

  34. malware comes in flavors: spam & poison

  35. spammers found the registry in 2016

  36. two kinds of spam: spam content & js spam support

  37. npm + cdns built on top == trivial hosting for

    GA clickjacking

  38. now using machine learning to catch spam thanks to the

    Smyte service

  39. spam speedbumps: validated email to publish disallow throwaway addresses

  40. we seem to have made a dent but this war

    will never end

  41. poison-flavored malware: typosqua!ing

  42. publishing packages with names that are very close to real

    names

  43. Historically this was competitive: authors would try to steal traffic

    to pump their download numbers

  44. somebody typosqua!ed moment.js with another date-forma!ing package

  45. also accidental JSONStream vs jsonstream

  46. recently it's been nefarious: typosquat of cross-env as crossenv with

    a env var stealer

  47. typosquat of bluebird wrapping bluebird with a cryptocoin miner

  48. Adam Baldwin typosqua!ed coffee-script early on

  49. it took days for the community to notice

  50. now it takes weeks if the community notices at all

  51. as spiderman said, with great popularity comes great annoyance

  52. automated similarity checker

  53. None

  54. this war will never end so long as there is

    $ to be made

  55. 4. Who published this package?

  56. What happens if somebody steals JDD's auth token & posts

    malware as lodash?

  57. Well, that's scary. npm auth tokens are sensitive.

  58. new! tools in the npm cli to help you control

    auth tokens

  59. new command: npm token control your auth tokens

  60. npm token create --readonly

  61. read-only auth tokens the principle of least power

  62. give your CI system a read-only token

  63. npm token create --cidr=[10.0.0.1/32]

  64. CIDR-bound tokens bind tokens to IP ranges

  65. further limit your tokens by controlling where they can be

    used

  66. npm token list npm token delete <tokenKey>

  67. None

  68. new command: npm profile

  69. set your profile data like your email or ...

  70. None

  71. well that's boring

  72. None

  73. that's not boring

  74. npm profile enable-2fa two-factor authentication is here

  75. require regular password plus a one-time password

  76. npm profile enable-2fa auth-only

  77. auth-only: any time you log in or manipulate tokens

  78. npm profile enable-2fa auth-and-writes

  79. None

  80. writes: your package publications pass the --otp flag

  81. npm publish --otp=123456 pass it on the command line!

  82. use a TOTP code generation app Google Authenticator, Authy, etc

  83. npm install -g npm@next try it now!

  84. code: github.com/npm/npm-profile api docs: github.com/npm/registry

  85. one more thing

  86. coming a!raction! protect a package with 2FA

  87. require an OTP any time that package is published by

    anybody

  88. protect packages with many maintainers next cli minor release 5.6.0

  89. coming soon! 2fa for your npm organization

  90. coming soon! npm ci 3x speed for your CI installs

  91. but what about package signing? we think we've figured out

    how

  92. coming soon! even more

  93. questions? help se!ing this up? come see me & puppies

    at the npm booth

  94. npm wants you to develop in confidence

  95. npm loves you