Log in
JavaScript Conferences
Node Congress 2023Node Congress 2023
EN

Supply Chain Security Experience

Bradley Farias
Bradley Farias
He has been in the Node.js community as a contributor.
Rate this content
Bookmark

Developers are flooded with tools and worries provided by security vendors. From researchers finding theoretical attacks, to time spent dealing with package updates, to simple accidents causing downtime all of these exist. Taking some history into account to understand the basic categories of attacks and how practical they are to exploit or even how common they are will give some assurance and guidance on where a developer can focus their limited energy and get the most out of their efforts.

This talk has been presented at Node Congress 2023, check out the latest edition of this JavaScript Conference.

FAQ

Supply chain security in software development refers to the protection of the entire network of people, tools, and dependencies that come together to create a software application. It ensures that all elements in this network are secure from vulnerabilities and potential attacks.

The average JavaScript project has around 80 dependencies. When you add a dependency in your package.json file, you are actually pulling in around 81 dependencies due to sub-dependencies.

Security vendors often emphasize the risks and vulnerabilities to encourage you to invest in their security products. They may highlight potential threats to persuade you that their solutions are necessary to protect your application.

When evaluating security threats, consider who can perform the attack, what the attack can do, and where the attack can be performed. Assessing these factors can help determine the actual impact and practicality of the threats.

Socket focuses primarily on the security of your dependencies. They emphasize the importance of understanding and managing the dependencies in your application to prevent potential security risks.

Understanding the dependencies in your application is crucial because each dependency can introduce new sub-dependencies, which may contain vulnerabilities. Not knowing these dependencies can expose your application to security risks.

Security vendors can offer proactive and reactive approaches. Proactive security aims to prevent vulnerabilities before they occur, while reactive security deals with identifying and mitigating vulnerabilities after they have been discovered.

You should ask security vendors about practical scenarios, such as how their tools handle famous vulnerabilities like Figure.js, Event Stream, and Lettpad. Also, inquire about their proactive and reactive measures and how they can prevent future incidents.

You shouldn't be overwhelmed by the number of dependencies because having hundreds of dependencies does not necessarily mean they are all risky. Focus on obtaining quality signals and noise ratios to make informed decisions about the actual security impact.

If there is a security incident, determine the impact on your production machine and business operations. Assess how much effort is needed to fix the issue and maintain the system. Additionally, consider what measures can be taken to prevent future incidents.

security
Bradley Farias
Bradley Farias
8 min
17 Apr, 2023

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Supply chain security is important in software development, and it's crucial to assess the actual impact of threats. When dealing with security vendors, ask practical questions about vulnerabilities and impacts. Focus on quality signal and noise ratios when considering the number of dependencies. Ongoing conversations with vendors are important to address concerns. Stay informed and make informed decisions.
Available in Español: Experiencia en Seguridad de la Cadena de Suministro

1. Introduction to Supply Chain Security

Short description:

Hi, I'm Bradley Farias. I work at Socket on Supply Chain Security. Supply Chain refers to the network of people, tools, and dependencies that come together to build software. Security vendors often exaggerate the risks and try to make you panic. It's important to ask questions and assess the actual impact of the threats. When considering security, focus on your application, its dependencies, and the consumers. At Socket, we prioritize defending against dependencies and the risks they introduce. Understanding what the security vendor offers and tailoring it to your needs is crucial.

Hi, I'm Bradley Farias. I work at Socket on Supply Chain Security, and I want to talk to you a little bit about experience of doing so and how to not be overwhelmed by all these security people trying to talk to you about their wonderful products and all the chaotic mess that we have.

So Supply Chain just means a network of different people, of different tools, different dependencies, all coming together to make your application for software. People want to blow this out of proportion, oh this network is ever expanding and stuff like that. And it is large, especially in JavaScript. The average dependency might have around 80 dependencies, what we're seeing at work today. So whenever you pull in a dependency in your package.json for node, you're actually pulling in around 81 on average. Because each dependency may have another dependency. Which is a little bit scary to think about, but it's just the reality of the nature of building software these days. Everybody's working together. And that means our supply chain is very large.

This has security people and security vendors wanting you to panic. They want you to think that all sorts of things are vulnerable. Any sort of attack, everywhere, even the most minute kind of attack, is something you must be vigilant against. You must spend thousands and thousands of your money to just defend against something when in reality if you ask some questions. Who can actually perform the attack? What can the attack do? Where can the attack actually be performed? And these kind of things. You might notice that, okay, we can invest in these things that the security vendor has said are the most important things, but the impact of them is very small. And so it may be the case that all these security threats that are being identified, that are shown to you by these security vendors are impractical, or just don't do anything to what you have.

So when you think about this, you need to think about your application, the dependencies in your application, and the consumers of your application. And who is the security vendor actually doing something for? Are they preventing consumers from doing something bad to your application? Are they preventing dependencies from exposing dangers to your application? For our work at Socket, we are mostly focused on your dependencies. We have a high level of trust on your application. And that's not to say it's the only thing we defend against, but a lot of the time, when you are working with dependencies, you don't read their source code. You don't know what happens when you update your dependencies. They could pull in a new dependency, and when that dependency updates, pulling in a new dependency could introduce a backdoor. It could introduce a problematic script that runs on your development machine, on your build server, and stuff like that. A lot of this is about trying to figure out what the security vendor is providing for you. What the security vendor is trying to tailor their experience for. They could be informative. They are trying to tell you, this thing that you installed has 80 dependencies within it. You're not installing one when you add it to your package JSON.

2. Asking Security Vendors the Right Questions

Short description:

You need to ask security vendors practical questions about vulnerabilities, scenarios, and impacts. Don't be overwhelmed by the number of dependencies; focus on quality signal and noise ratios. Ensure that vendors have answers for incidents and preventive measures. Have ongoing conversations with vendors to address concerns. Demo time is limited, but stay informed and make informed decisions.

You're actually installing 81 packages. They may be proactive. They might try to prevent you from installing something. Oh, this install will cause you to have an install script. The install script looks a little bit scary. Let's back off.

So they could be proactive about security, or they could be reactive. Oh, we saw that this vulnerability occurred. These are the steps you could do to identify what happened. What was vulnerable when and what data was affected by it. You need to ask these questions when you're talking to security vendors. And ask about scenarios, practical ones.

Figure.js, Event Stream, Lettpad, these are all very famous. I have a great deal of hope that every security vendor you talk to has at least some basic answer for what would occur when using their tool, if their tool even affects those scenarios. These have academic papers written on these events, these are in Wikipedia articles and stuff like that. Or any theoretical scenarios that you can come up with.

But a lot of these come down to a famous xkcd. A random person is hidden within your dependencies. You don't know who this random person is. They're so deep down in there, their dependency is so deep down in there that when they have a problem, when they introduce risk malicious scripts into your codebase, you may not be able to see it. And these tools are trying to expose that. And it seems overwhelming.

Oftentimes when you have hundreds and hundreds of dependencies, you may only have a few that are risky. So don't be overwhelmed by numbers. Get quality signal and noise ratios so that you can actually do an informed decision. And the impact. When you're talking to these vendors, they may show you a great demo, but they definitely need to have answers to what happens if there is an incident. Is it going to take down your production machine? Is it going to cause problems for you as a business? And how much effort is it going to take for a developer when they're waiting on a fix to keep the production machines alive? What can you do after it? You've fixed it, but is there anything that the tool can do to prevent the next incident? And you need to go and have that conversation repeatedly. And hopefully the vendors have an answer for you. That's all. Don't get overwhelmed. Everybody's trying to show the value of their product as fast as they can because we have a very short amount of time when we're demoing things. Yes, it will all be good.

Available in other languages:

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Feross Aboukhadijeh
Feross Aboukhadijeh
Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
node.jssecurity
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Phil Nash
Phil Nash
DataStax
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
securityauthentication
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
Rafael Gonzaga
Rafael Gonzaga
NearForm & Technical Steering Committee, Brazil
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
node.jssecurity
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão
Lucas Estevão
Technical Manager and Principal UI Engineer.
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
next.jssecurityreact 18
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
Liran Tal
Liran Tal
Snyk
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.
reactsecurityxss
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
Liran Tal
Liran Tal
Snyk
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.
reactcase studysecurity

Workshops on related topic

0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
reactweb developmentsecurityauthentication
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
node.jssecurity
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
security
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
case studyjavascriptnode.jssecuritynpm
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
code qualityci cdsecurity
Passwordless Auth to Servers: hands on with ASA
DevOps.js Conf 2022DevOps.js Conf 2022
32 min
Passwordless Auth to Servers: hands on with ASA
WorkshopFree
E. Dunham
E. Dunham
These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized.
- we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run
devopssecurity