node security project - lxjs 2013

Report

Tags:

Post on 12-May-2015

1.857 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Wednesday, October 2, 13

Hi, I’m Adam

Wednesday, October 2, 13

Hi, I’m Adam@adam_baldwin@liftsecurity@nodesecurity

Wednesday, October 2, 13

Hi, I’m Adam@evilpacket

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Node Security ProjectWednesday, October 2, 13

Why

Wednesday, October 2, 13

•precommit-hook for linting•pull requests for peer review•education / values

Things we had control over

Wednesday, October 2, 13

•other peoples code•the delivery system (npm)

Things we didn’t have control over

Wednesday, October 2, 13

npm install altlhethings

Wednesday, October 2, 13

npm install fs

Wednesday, October 2, 13

npm install http

Wednesday, October 2, 13

npm install socketio

Wednesday, October 2, 13

404

Wednesday, October 2, 13

~/analyzer$ node print.js ./output/output.json buffer: 604child_process: 2867dgram: 836dns: 674fs: 15036http: 12084https: 2819os: 1311readline: 909string_decoder: 65timers: 230tty: 335vm: 354

Wednesday, October 2, 13

•Core modules....•Punctuation is hard•Improve integrity checking

Conclusions

Wednesday, October 2, 13

Wednesday, October 2, 13

How

Wednesday, October 2, 13

nodesecurity.io/contributors

Wednesday, October 2, 13

New Process

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

Wednesday, October 2, 13

child_process.exec[pid 31152] execve("/bin/sh", ["/bin/sh", "-c", "ls"]

child_process.execFile[pid 31176] execve("/bin/ls", ["/bin/ls"]

Wednesday, October 2, 13

Wednesday, October 2, 13

Catalyst for Change

Wednesday, October 2, 13

Improved Resources

Wednesday, October 2, 13

Private issues &

Pull RequestsWednesday, October 2, 13

“I wish @github had private issues and pull requests for open source projects to improve responsible disclosure of security issues! Please RT”

j.mp/lxjs-nspWednesday, October 2, 13

http://j.mp/lxjs-nsp
http://j.mp/lxjs-nsp

nodeschool.ioWednesday, October 2, 13

security.md

Wednesday, October 2, 13

github.com/nodesecurity

Wednesday, October 2, 13

</presentation> @adam_baldwin@liftsecurity@nodesecurity

@evilpacket

Wednesday, October 2, 13

top related

study guide 10 physical...
Documents
ad hoc networking security: solving node selfishness...
Documents
cambio paso a paso horario ·...
Documents
hyperaudio - lxjs 2013
Technology
surviving web security - node interactive
Internet
3gpp security hot topics - etsi€¦ ·  · 2010-01-203gpp...
Documents
triconf 2014 - lxjs, the lisbon javascript conference
Technology
centralized border security information · pdf file ·...
Documents
working with data · node-04 node-05 node-06 node-07...
Documents
vpars and hp-ux adaptive infrastructure · hp-ux server...
Documents
multi-node installation guide - qlik · multi-node...
Documents
white paper: the security vulnerabilities of lte ... paper...
Documents
fog node security - tmcnet · 9. insecure software/firmware...
Documents
a new distributed security model for linux...
Documents
node day - node.js security in the enterprise
Technology
databases for an engaged world: requirements … server...
Documents
pgconf.ru · rtn rtn rtn rtn rtn rtn cloud / cluster...
Documents
kubelet to istio: kubernetes network security...
Documents
the land bill (draft 3): analysis and policy...
Documents
firefox os, the open web & webapis - lxjs, portugal
Technology