Keeping JavaScript safe

Slide 1

Slide 1 text

keeping javascript safe

Slide 2

Slide 2 text

keeping javascript safe security & the npm registry

Slide 3

Slide 3 text

C J Silverio CTO @ npm, @ceejbot

Slide 4

Slide 4 text

using node since 2011 node has grown up!

Slide 5

Slide 5 text

running npm's registry since 2014 npm has grown up too!

Slide 6

Slide 6 text

the story of the npm registry mirrors the story of node

Slide 7

Slide 7 text

npm is infrastructure for millions of developers

Slide 8

Slide 8 text

npm dependably serves node packages 24/7 around the world

Slide 9

Slide 9 text

Fortune 100 companies depend on npm & node

Slide 10

Slide 10 text

3 billion downloads/week 9 million users 156K package authors (1.7%)

Slide 11

Slide 11 text

npm has as many users as the New York City

Slide 12

Slide 12 text

it didn't start that way

Slide 13

Slide 13 text

in 2009, node & npm's users knew each other by name

Slide 14

Slide 14 text

the npm registry is now too large to depend on community policing

Slide 15

Slide 15 text

but you need that policing

Slide 16

Slide 16 text

you rely on the packages you install

Slide 17

Slide 17 text

questions you ask 1. Is the registry secure? 2. Does this package have vulnerabilities? 3. Is this package malware? 4. Who published this package?

Slide 18

Slide 18 text

1. Is the registry secure?

Slide 19

Slide 19 text

What does secure mean? registry systems can't be broken into data can't be tampered with

Slide 20

Slide 20 text

we don't try to do this alone ongoing contract with ^Li!

Slide 21

Slide 21 text

this guy, Adam Baldwin (he'll come up again) & his colleagues

Slide 22

Slide 22 text

periodic pen testing ongoing code reviews

Slide 23

Slide 23 text

good security practices are on-going work

Slide 24

Slide 24 text

2. Does this package have vulnerabilities?

Slide 25

Slide 25 text

our friends at ^Li! again as the Node Security Platform

Slide 26

Slide 26 text

NSP reviews popular packages, reports vulnerabilities, & handles reports

Slide 27

Slide 27 text

h!ps://nodesecurity.io

Slide 28

Slide 28 text

early access NSP data is integrated into npm enterprise

Slide 29

Slide 29 text

newsﬂash! npm is a company that sells services!

Slide 30

Slide 30 text

npm enterprise is a registry inside your ﬁrewall

Slide 31

Slide 31 text

NSP keeps us informed we keep them informed in turn

Slide 32

Slide 32 text

3. Is this package malware?

Slide 33

Slide 33 text

malware doesn't advertise

Slide 34

Slide 34 text

malware comes in ﬂavors: spam & poison

Slide 35

Slide 35 text

spammers found the registry in 2016

Slide 36

Slide 36 text

two kinds of spam: spam content & js spam support

Slide 37

Slide 37 text

npm + cdns built on top == trivial hosting for GA clickjacking

Slide 38

Slide 38 text

now using machine learning to catch spam thanks to the Smyte service

Slide 39

Slide 39 text

spam speedbumps: validated email to publish disallow throwaway addresses

Slide 40

Slide 40 text

we seem to have made a dent but this war will never end

Slide 41

Slide 41 text

poison-ﬂavored malware: typosqua!ing

Slide 42

Slide 42 text

publishing packages with names that are very close to real names

Slide 43

Slide 43 text

Historically this was competitive: authors would try to steal trafﬁc to pump their download numbers

Slide 44

Slide 44 text

somebody typosqua!ed moment.js with another date-forma!ing package

Slide 45

Slide 45 text

also accidental JSONStream vs jsonstream

Slide 46

Slide 46 text

recently it's been nefarious: typosquat of cross-env as crossenv with a env var stealer

Slide 47

Slide 47 text

typosquat of bluebird wrapping bluebird with a cryptocoin miner

Slide 48

Slide 48 text

Adam Baldwin typosqua!ed coffee-script early on

Slide 49

Slide 49 text

it took days for the community to notice

Slide 50

Slide 50 text

now it takes weeks if the community notices at all

Slide 51

Slide 51 text

as spiderman said, with great popularity comes great annoyance

Slide 52

Slide 52 text

automated similarity checker

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

this war will never end so long as there is $ to be made

Slide 55

Slide 55 text

4. Who published this package?

Slide 56

Slide 56 text

What happens if somebody steals JDD's auth token & posts malware as lodash?

Slide 57

Slide 57 text

Well, that's scary. npm auth tokens are sensitive.

Slide 58

Slide 58 text

new! tools in the npm cli to help you control auth tokens

Slide 59

Slide 59 text

new command: npm token control your auth tokens

Slide 60

Slide 60 text

npm token create --readonly

Slide 61

Slide 61 text

read-only auth tokens the principle of least power

Slide 62

Slide 62 text

give your CI system a read-only token

Slide 63

Slide 63 text

npm token create --cidr=[10.0.0.1/32]

Slide 64

Slide 64 text

CIDR-bound tokens bind tokens to IP ranges

Slide 65

Slide 65 text

further limit your tokens by controlling where they can be used

Slide 66

Slide 66 text

npm token list npm token delete

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

new command: npm proﬁle

Slide 69

Slide 69 text

set your proﬁle data like your email or ...

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

well that's boring

Slide 72

Slide 72 text

No content

Slide 73

Slide 73 text

that's not boring

Slide 74

Slide 74 text

npm proﬁle enable-2fa two-factor authentication is here

Slide 75

Slide 75 text

require regular password plus a one-time password

Slide 76

Slide 76 text

npm proﬁle enable-2fa auth-only

Slide 77

Slide 77 text

auth-only: any time you log in or manipulate tokens

Slide 78

Slide 78 text

npm proﬁle enable-2fa auth-and-writes

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

writes: your package publications pass the --otp ﬂag

Slide 81

Slide 81 text

npm publish --otp=123456 pass it on the command line!

Slide 82

Slide 82 text

use a TOTP code generation app Google Authenticator, Authy, etc

Slide 83

Slide 83 text

npm install -g npm@next try it now!

Slide 84

Slide 84 text

code: github.com/npm/npm-proﬁle api docs: github.com/npm/registry

Slide 85

Slide 85 text

one more thing

Slide 86

Slide 86 text

coming a!raction! protect a package with 2FA

Slide 87

Slide 87 text

require an OTP any time that package is published by anybody

Slide 88

Slide 88 text

protect packages with many maintainers next cli minor release 5.6.0

Slide 89

Slide 89 text

coming soon! 2fa for your npm organization

Slide 90

Slide 90 text

coming soon! npm ci 3x speed for your CI installs

Slide 91

Slide 91 text

but what about package signing? we think we've ﬁgured out how

Slide 92

Slide 92 text

coming soon! even more

Slide 93

Slide 93 text

questions? help se!ing this up? come see me & puppies at the npm booth

Slide 94

Slide 94 text

npm wants you to develop in conﬁdence

Slide 95

Slide 95 text

npm loves you