You need to, you know, take full ownership on your own dependencies. I mean, dependencies are great. We there are like millions of packages right now on NPM that we can use to speed up how we don't work, right? And we don't have to rebuild every second, every project that we do. But it's important to understand that those libraries have some maintainers around, right? And we should be able to understand how the security of these libraries work, if they are maintained or not maintained and so on.
I mean, there are tools already there that we can use, you know, like Snyk and Socket and so on. But it's important that you include this, you know, review and audit of these kind of dependencies and having this, you know, updated them over the time. So include this in your development life cycle.
You need to understand as well that if you, you know, create any kind of service that is outside and available on the internet, you have to, you know, put some limits on the use of resources, right? It can be like the typical API, apply for it limits on the APIs, calls, you know, limit the communications, IP restrictions, you know, having policies, these kinds of things. As well, you need to understand how to manage the cookies, you know, sensitive data exposure is a very common thing, especially when we have errors on the server.
I see, unfortunately, recently, a lot of scenarios where the people didn't handle properly the errors on the server and you end up sending this information back as the content of the request and so on. So you basically are providing even much more information that needed to a potential attacker as well. So that's important, you need to handle errors properly. And you need to log these kind of things as well, right? You need to have a proper logging in place so you can understand what happened with every request and what's going on in your server on the services that you have online. So later on, you can do a proper outlet and trace what happened and understand what's going on, right? Not only for misconfiguration and books and errors, but also in terms of security, understanding how the people are exploiting your system will help you to understand how to secure them basically. And you need to have some kind of security monitoring and so on.
I'm saying a lot of things, right? So you end up having a big list. So prioritization is important. So let me show you some real-world vulnerabilities that might be quite common or I see quite common. So prototype pollution is one of the most tricky things in my experience. I see this a lot. It's a very common thing in JavaScript. We have some mechanisms in Node.js and Express to prevent these kinds of things. But we don't do that for the payloads that they send you, right? So you need to be clear that when someone sends you like a JSON or so on, you can see there a lot of malicious payloads that can force this kind of prototype pollution. So it's important to understand in this how it works deeply and also to do these sanitizations.
For example, it's understood that people think that Express provides you like a, you know, pretty full security headers on place. So you have a lot of policies and so on on the headers and these make your application much more secure. Actually, Express doesn't do that today. But there are libraries that help you with that, like Helmet, right? So it's important to understand these kinds of things because we'll reduce a lot the surface for attack on your applications. Malicious third-party packages. This is a very common thing.
Comments