Securing your nodejs deployments while you sleep

Slide 1

Slide 1 text

Securing your nodejs deployments while you sleep Ahamed Nafeez !

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Continuous Delivery

Slide 4

Slide 4 text

A vulnerability gets out to the internet before the security team looks at it or a scanner is run. Code deployment is now near instantaneous

Slide 5

Slide 5 text

Constant iteration in production via feature ﬂags, A/B testings etc

Slide 6

Slide 6 text

Attack vs Defence

Slide 7

Slide 7 text

A-B usability tests Error-Catchers Benchmarking These don’t write themselves

Slide 8

Slide 8 text

What about the security of your data and nodejs app?

Slide 9

Slide 9 text

People start with a simple access control policy- Everyone has access to everything.

Slide 10

Slide 10 text

Or maybe you never gave a thought about your front- end architecture to prevent against, Cross-Domain attacks

Slide 11

Slide 11 text

Security should be a ﬁrst class requirement.

Slide 12

Slide 12 text

Watch the code as soon as it gets deployed. ! Do Continuous Integration with security checks relevant to the Diffs / Delta

Slide 13

Slide 13 text

What if you could monitor code commits for insecure patterns / behaviours?

Slide 14

Slide 14 text

Lets try doing that to a repository on GitHub

Slide 15

Slide 15 text

1. Use GitHub’s WebHooks.  2. Get all commits to your repository.  3. Get the DIFF and send it across various security tests. In 3 simple steps

Slide 16

Slide 16 text

What can you test?

Slide 17

Slide 17 text

! 1. Insecure usage of templates for Cross-Site Scripting (XSS) 2. Insecure libraries 3. . . . ! ! Simple static analysis !

Slide 18

Slide 18 text

! 1. New routes being added!! 2. State changing routes being added ! Dynamic analysis !

Slide 19

Slide 19 text

git-watchdog   Collects post-receive from GitHub and alerts you on security errors 

Slide 20

Slide 20 text

Cross-Site Scripting (XSS)

Slide 21

Slide 21 text

Imagine an injection context inside a JS variable var a = “—-user-input-here—”; alert(‘Finished’);

Slide 22

Slide 22 text

Just strip out / escape the “ character (Double Quotes)

Slide 23

Slide 23 text

Guess what happens ? var a = “”; alert(‘Finished’);

Slide 24

Slide 24 text

HTML Parser have preference over JS Parser.

Slide 25

Slide 25 text

Principle of Un-obtrusive Javascript Client-Side Templating Content Security Policy Reduce the entry point to one What defensive front-end architecture looks like

Slide 26

Slide 26 text

Templating & XSS <%= %>, {{ }} — HTML Encoded - Usually XSS Safe <%- %>, {{{ }}} — No Encoding - Causes XSS in any context. Your design should naturally avoid this.

Slide 27

Slide 27 text

This works until someone who doesn’t understands your code starts committing to production.

Slide 28

Slide 28 text

Things to look out Anything which has <%- or {{{ needs some attention. Write a simple module which checks the code commits for that.

Slide 29

Slide 29 text

Writing an XSS checker in git-watchdog

Slide 30

Slide 30 text

ExpressJS! Web Application framework for node

Slide 31

Slide 31 text

Scan on new routes being added? In Express, app._router.stack gives you all the registered routes. Pretty useful if you want to trigger a scan for a newly added end-point.! Figure out what works for your framework!

Slide 32

Slide 32 text

Lets discuss more @skeptic_fx