node security project - lxjs 2013
TRANSCRIPT
Wednesday, October 2, 13
Hi, I’m Adam
Wednesday, October 2, 13
Hi, I’m Adam@adam_baldwin@liftsecurity@nodesecurity
Wednesday, October 2, 13
Hi, I’m Adam@evilpacket
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Node Security ProjectWednesday, October 2, 13
Why
Wednesday, October 2, 13
•precommit-hook for linting•pull requests for peer review•education / values
Things we had control over
Wednesday, October 2, 13
•other peoples code•the delivery system (npm)
Things we didn’t have control over
Wednesday, October 2, 13
npm install altlhethings
Wednesday, October 2, 13
npm install fs
Wednesday, October 2, 13
npm install http
Wednesday, October 2, 13
npm install socketio
Wednesday, October 2, 13
404
Wednesday, October 2, 13
~/analyzer$ node print.js ./output/output.json buffer: 604child_process: 2867dgram: 836dns: 674fs: 15036http: 12084https: 2819os: 1311readline: 909string_decoder: 65timers: 230tty: 335vm: 354
Wednesday, October 2, 13
•Core modules....•Punctuation is hard•Improve integrity checking
Conclusions
Wednesday, October 2, 13
Wednesday, October 2, 13
How
Wednesday, October 2, 13
nodesecurity.io/contributors
Wednesday, October 2, 13
New Process
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
Wednesday, October 2, 13
child_process.exec[pid 31152] execve("/bin/sh", ["/bin/sh", "-c", "ls"]
child_process.execFile[pid 31176] execve("/bin/ls", ["/bin/ls"]
Wednesday, October 2, 13
Wednesday, October 2, 13
Catalyst for Change
Wednesday, October 2, 13
Improved Resources
Wednesday, October 2, 13
Private issues &
Pull RequestsWednesday, October 2, 13
“I wish @github had private issues and pull requests for open source projects to improve responsible disclosure of security issues! Please RT”
j.mp/lxjs-nspWednesday, October 2, 13
nodeschool.ioWednesday, October 2, 13
security.md
Wednesday, October 2, 13
github.com/nodesecurity
Wednesday, October 2, 13
</presentation> @adam_baldwin@liftsecurity@nodesecurity
@evilpacket
Wednesday, October 2, 13