Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
keeping javascript safe
Slide 2
Slide 2 text
keeping javascript safe security & the npm registry
Slide 3
Slide 3 text
C J Silverio CTO @ npm, @ceejbot
Slide 4
Slide 4 text
using node since 2011 node has grown up!
Slide 5
Slide 5 text
running npm's registry since 2014 npm has grown up too!
Slide 6
Slide 6 text
the story of the npm registry mirrors the story of node
Slide 7
Slide 7 text
npm is infrastructure for millions of developers
Slide 8
Slide 8 text
npm dependably serves node packages 24/7 around the world
Slide 9
Slide 9 text
Fortune 100 companies depend on npm & node
Slide 10
Slide 10 text
3 billion downloads/week 9 million users 156K package authors (1.7%)
Slide 11
Slide 11 text
npm has as many users as the New York City
Slide 12
Slide 12 text
it didn't start that way
Slide 13
Slide 13 text
in 2009, node & npm's users knew each other by name
Slide 14
Slide 14 text
the npm registry is now too large to depend on community policing
Slide 15
Slide 15 text
but you need that policing
Slide 16
Slide 16 text
you rely on the packages you install
Slide 17
Slide 17 text
questions you ask 1. Is the registry secure? 2. Does this package have vulnerabilities? 3. Is this package malware? 4. Who published this package?
Slide 18
Slide 18 text
1. Is the registry secure?
Slide 19
Slide 19 text
What does secure mean? registry systems can't be broken into data can't be tampered with
Slide 20
Slide 20 text
we don't try to do this alone ongoing contract with ^Li!
Slide 21
Slide 21 text
this guy, Adam Baldwin (he'll come up again) & his colleagues
Slide 22
Slide 22 text
periodic pen testing ongoing code reviews
Slide 23
Slide 23 text
good security practices are on-going work
Slide 24
Slide 24 text
2. Does this package have vulnerabilities?
Slide 25
Slide 25 text
our friends at ^Li! again as the Node Security Platform
Slide 26
Slide 26 text
NSP reviews popular packages, reports vulnerabilities, & handles reports
Slide 27
Slide 27 text
h!ps://nodesecurity.io
Slide 28
Slide 28 text
early access NSP data is integrated into npm enterprise
Slide 29
Slide 29 text
newsflash! npm is a company that sells services!
Slide 30
Slide 30 text
npm enterprise is a registry inside your firewall
Slide 31
Slide 31 text
NSP keeps us informed we keep them informed in turn
Slide 32
Slide 32 text
3. Is this package malware?
Slide 33
Slide 33 text
malware doesn't advertise
Slide 34
Slide 34 text
malware comes in flavors: spam & poison
Slide 35
Slide 35 text
spammers found the registry in 2016
Slide 36
Slide 36 text
two kinds of spam: spam content & js spam support
Slide 37
Slide 37 text
npm + cdns built on top == trivial hosting for GA clickjacking
Slide 38
Slide 38 text
now using machine learning to catch spam thanks to the Smyte service
Slide 39
Slide 39 text
spam speedbumps: validated email to publish disallow throwaway addresses
Slide 40
Slide 40 text
we seem to have made a dent but this war will never end
Slide 41
Slide 41 text
poison-flavored malware: typosqua!ing
Slide 42
Slide 42 text
publishing packages with names that are very close to real names
Slide 43
Slide 43 text
Historically this was competitive: authors would try to steal traffic to pump their download numbers
Slide 44
Slide 44 text
somebody typosqua!ed moment.js with another date-forma!ing package
Slide 45
Slide 45 text
also accidental JSONStream vs jsonstream
Slide 46
Slide 46 text
recently it's been nefarious: typosquat of cross-env as crossenv with a env var stealer
Slide 47
Slide 47 text
typosquat of bluebird wrapping bluebird with a cryptocoin miner
Slide 48
Slide 48 text
Adam Baldwin typosqua!ed coffee-script early on
Slide 49
Slide 49 text
it took days for the community to notice
Slide 50
Slide 50 text
now it takes weeks if the community notices at all
Slide 51
Slide 51 text
as spiderman said, with great popularity comes great annoyance
Slide 52
Slide 52 text
automated similarity checker
Slide 53
Slide 53 text
No content
Slide 54
Slide 54 text
this war will never end so long as there is $ to be made
Slide 55
Slide 55 text
4. Who published this package?
Slide 56
Slide 56 text
What happens if somebody steals JDD's auth token & posts malware as lodash?
Slide 57
Slide 57 text
Well, that's scary. npm auth tokens are sensitive.
Slide 58
Slide 58 text
new! tools in the npm cli to help you control auth tokens
Slide 59
Slide 59 text
new command: npm token control your auth tokens
Slide 60
Slide 60 text
npm token create --readonly
Slide 61
Slide 61 text
read-only auth tokens the principle of least power
Slide 62
Slide 62 text
give your CI system a read-only token
Slide 63
Slide 63 text
npm token create --cidr=[10.0.0.1/32]
Slide 64
Slide 64 text
CIDR-bound tokens bind tokens to IP ranges
Slide 65
Slide 65 text
further limit your tokens by controlling where they can be used
Slide 66
Slide 66 text
npm token list npm token delete
Slide 67
Slide 67 text
No content
Slide 68
Slide 68 text
new command: npm profile
Slide 69
Slide 69 text
set your profile data like your email or ...
Slide 70
Slide 70 text
No content
Slide 71
Slide 71 text
well that's boring
Slide 72
Slide 72 text
No content
Slide 73
Slide 73 text
that's not boring
Slide 74
Slide 74 text
npm profile enable-2fa two-factor authentication is here
Slide 75
Slide 75 text
require regular password plus a one-time password
Slide 76
Slide 76 text
npm profile enable-2fa auth-only
Slide 77
Slide 77 text
auth-only: any time you log in or manipulate tokens
Slide 78
Slide 78 text
npm profile enable-2fa auth-and-writes
Slide 79
Slide 79 text
No content
Slide 80
Slide 80 text
writes: your package publications pass the --otp flag
Slide 81
Slide 81 text
npm publish --otp=123456 pass it on the command line!
Slide 82
Slide 82 text
use a TOTP code generation app Google Authenticator, Authy, etc
Slide 83
Slide 83 text
npm install -g npm@next try it now!
Slide 84
Slide 84 text
code: github.com/npm/npm-profile api docs: github.com/npm/registry
Slide 85
Slide 85 text
one more thing
Slide 86
Slide 86 text
coming a!raction! protect a package with 2FA
Slide 87
Slide 87 text
require an OTP any time that package is published by anybody
Slide 88
Slide 88 text
protect packages with many maintainers next cli minor release 5.6.0
Slide 89
Slide 89 text
coming soon! 2fa for your npm organization
Slide 90
Slide 90 text
coming soon! npm ci 3x speed for your CI installs
Slide 91
Slide 91 text
but what about package signing? we think we've figured out how
Slide 92
Slide 92 text
coming soon! even more
Slide 93
Slide 93 text
questions? help se!ing this up? come see me & puppies at the npm booth
Slide 94
Slide 94 text
npm wants you to develop in confidence
Slide 95
Slide 95 text
npm loves you