Security Controls in the JavaScript Supply Chain

Rate this content
Bookmark

The omnipresence of open-source software and low-barrier of entry on npmjs are serving as a catalyst for supply chain security incidents that are continuously impacting JavaScript developers. What can we do to protect ourselves?

This talk has been presented at JSNation 2022, check out the latest edition of this JavaScript Conference.

FAQ

Yaron Tal is a developer advocate at Snyk, involved in various aspects of the JavaScript ecosystem, focusing on helping developers build secure software.

The main focus of Yaron Tal's work at Snyk is to help developers build and ship secure software, whether through CI, IDE, or other tools, and to engage with the community on security projects.

Developers often feel uneasy about running npm install because it involves a high level of trust in third-party dependencies and maintainers, which can introduce vulnerabilities and risks.

'Reflections on Trusting Trust' by Ken Thompson is an essay that explores the concept of trust in software development, demonstrating how backdoors can be inserted into software at multiple levels, making it difficult to detect malicious code.

Open source software is important in modern software development because it allows developers to use and build upon existing work, improving productivity and avoiding the need to reinvent the wheel.

Some preventive measures to enhance security in the JavaScript ecosystem include using lock file linting, avoiding blind upgrades, using automated bots for dependency management, and configuring CI/CD pipelines to ignore scripts.

In January 2022, the 'colors' npm package was sabotaged by its own maintainer, causing a denial of service. This incident impacted many projects that indirectly depended on 'colors,' including AWS CDK and Salesforce packages.

Developers can mitigate the risk of arbitrary command execution from npm packages by using the '--ignore-scripts' flag during installation and carefully managing and reviewing dependencies.

A Trojan source attack involves inserting hidden control characters into source code to change its behavior without being visible to the reviewer. It can be mitigated by using tools and plugins that detect such characters and by reviewing code in environments that highlight these issues.

Supply chain security in software development refers to the security of all the components and processes involved in building and delivering software, including source control, build processes, and third-party dependencies.

Liran Tal
Liran Tal
28 min
16 Jun, 2022

Comments

Sign in or register to post your comment.
Video Summary and Transcription
This talk discusses the security challenges in the JavaScript ecosystem, including supply chain security, lock file tampering, and arbitrary command execution. It highlights the risks of blind upgrades and hidden comments in code. The talk also covers dependency confusion attacks and the importance of establishing a threat model for node applications.

1. Introduction to JavaScript Ecosystem Security

Short description:

Thank you for joining me today. I'm Yaron Tal, a developer advocate at Snyk. I will share real-world stories about the role of developers in the security ecosystem and the state of security in the JavaScript ecosystem. When you do an npm install, it's okay to feel concerned. I will provide security controls to mitigate the risks. Installing an average npm package involves trusting numerous maintainers and dependencies. This concern is not new and has been discussed for decades, as demonstrated by Ken Thompson's essay on trusting trust.

And now... Well, thank you, everyone, for joining me today. My name is Yaron Tal, and I'm a developer advocate at Snyk. And I'm going to talk about several stories happening in the JavaScript ecosystem, in which I'm involved in several parts through my work at Snyk, trying to help developers, you know, me and yourself, all of us, build secure software, ship it, whether it's your CI or IDE or whatever.

It's a really great way to just interact and engage developers. But through that work, I also do a lot of things with a community, which is through the OS security project, or maybe through things like the node foundation security, triage vulnerabilities, and a lot of work around open source. And that kind of like, helps me get a clear picture of what is going on, where things are going.

So, with that said, today, I would like to share with you some real-world stories and tell you how developers like yourselves play a very fundamental and key role in the security ecosystem and even in security incidents that have been happening recently. Also, what is the current state of affairs with the security and the supply chain security of open source and JavaScript ecosystem.

Now, I realize that this is probably, everyone kind of like relates to this in a very emotional state, right, when you go and do an npm install. Yes? So, I'm here to tell you that this is okay. You are filling something that every one of us fills before we do an npm install, and this whole talk will basically be about why you feel that way, but also give you some preventive measures, some security controls that you can have and add tomorrow in your team to be able to mitigate the risks around things that happen there.

So, that filling that you have if you can relate to that MIM is basically very based on some foundational scientific research. One of those cases a couple of years ago have shown us how when we install the average npm package, we put a lot of trust out there into maintainers. And third-party dependency that we're bringing in. Installing the average npm package just by that, you're probably trusting about 79 third-party dependencies and 79 and then 39 maintainers. That's a lot. That means there's going to be probably a lot of noise and potentially pain to maybe also remediate some of this. But this is the truth of the things.

And I'm also here to tell you that this isn't a new concern. In fact, this whole thing about where do we put our trust as developers and how much should we trust? What should we trust exactly? Is something that's been talked about almost 40 years ago. This person called Ken Thompson, he's an award-winning Turing award developer, and he had actually went on to create this essay called Reflections on Trusting Trust. I highly recommend reading it, but just giving you the gist of what it actually means.

So this person went off and said, I want to show you what it means to trust people. And then he added a back door to the Unix login program. But of course people review codes, right? On open source. So then he went on and continued this chain of adding the back door to the compiler that then compiles the login program and then it will inject it. But well, people also review the compiler codes. Well, how do you compile compilers? You need one entry point to begin with. And so he actually went on and added that back door.

2. Insights on Open Source and Supply Chain Security

Short description:

That's Rojan thing that he wanted to show us as an experiment how this works. Added this to the compiler that then compiles the Unix login program. It reveals why trust is important and how much further we need to go. Open Source is great and using it is a productivity tool. We need to understand the gift of Open Source and the supply chain security story. It's not just about NPM dependencies, but also the entire software building process and integration points.

That's Rojan thing that he wanted to show us as an experiment how this works. Added this to the compiler that then compiles the Unix login program. So if you review the Unix login program and if you review the compiler, at that point you will not see it anymore. Because you still need a binary compiler to then compile all of those. And that is where things are happening. That is where the back door is inserted.

A very interesting insight in revealing how software kind of like has traits and how it spawns them on to other specific programs that it gets generated out of. And so I highly recommend reading this. But it shows us like why trust is important and how much further we need to go in order to put that trust somewhere.

So still Open Source is great. And we can't deny the fact that to build software today, we need to use Open Source software even when maybe the program that we build is not Open Source itself, maybe half of it or whatever. But that's kind of like the reality. And of course, why not? Why not use Open Source software, right? Because essentially what we really want is not to reinvent the wheel. We want to use work that great people have done, and then we can take that work and use it to practice. And this is a great productivity tool.

So by now, I'm pretty sure we're hitting that two million mark on NPM. So I don't know. Amazing to us, to all of you here, helping us promote Open Source software. But at the same time, we kind of need to understand and recognize this gift that we're given, that Open Source has been given to the world, and what it actually means. So all of those packages, they are essentially the supply. This is part of the supply chain security story. And it is relatively an easy thing to think for us, that all those supply chain securities may be NPM dependencies. But it's not really just that. In fact, if we go back all the way to the basics of how software is being built, we can see that we have several connection points along the way. So you're a developer, you're building something, maybe pushing it to GitHub. That's basically your source control, then there's a build getting triggered, then there's some output out of that. Maybe that's essentially a package or maybe that's getting thrown onto some CDN or whatever. And you're using some open source through the build process. So all of that is essentially how we're building software. But here are the integration points of what supply chain security means at the very basic level.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Levelling up Monorepos with npm Workspaces
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Levelling up Monorepos with npm Workspaces
Top Content
NPM workspaces help manage multiple nested packages within a single top-level package, improving since the release of NPM CLI 7.0. You can easily add dependencies to workspaces and handle duplications. Running scripts and orchestration in a monorepo is made easier with NPM workspaces. The npm pkg command is useful for setting and retrieving keys and values from package.json files. NPM workspaces offer benefits compared to Lerna and future plans include better workspace linking and adding missing features.
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
The Zen of Yarn
DevOps.js Conf 2022DevOps.js Conf 2022
31 min
The Zen of Yarn
Let's talk about React and TypeScript, Yarn's philosophy and long-term relevance, stability and error handling in Yarn, Yarn's behavior and open source sustainability, investing in maintenance and future contributors, contributing to the JavaScript ecosystem, open-source contribution experience, maintaining naming consistency in large projects, version consistency and strictness in Yarn, and Yarn 4 experiments for performance improvement.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.