Upload
devseccon-limited
View
76
Download
3
Embed Size (px)
Citation preview
Join the conversation #devseccon
Guy Podjarny, Snyk@guypod
Secure Node Code a.k.a. Stranger Danger
snyk.io
About Me• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History: • Cyber Security part of Israel Defense Forces
• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
snyk.io
Open Source Is AwesomeShare Your Work
Reuse What Others Built Focus on Creating Your Own New Thing
snyk.io
Open Source Usage Has Exploded
snyk.io
Open Source != SecureOpen Source != Insecure Either!
snyk.io
Heartbleed
snyk.io
Shellshock
snyk.io
Logjam
snyk.io
Attackers Are Targeting Open Source
One vulnerability, many victims
snyk.io
~30% of Docker Hub images carry
Known Vulnerabilities High Priority known vulnerabilites, to be exact
Source: BanyanOps Analysis
snyk.io
Docker Security
Ubuntu usn
Auto Sec Updates
Fedora yum security
Auto Sec Updates
snyk.io
That’s OSS Binaries.What about OSS Packages?
snyk.io
Just as Hacker-Friendly…1. Vulnerabilities already found, and found often 2. Used everywhere - Millions downloads/month, in many orgs 3. Hard to update, due to deps chains, breakage & scattered use
snyk.io
Let’s pick on Node
snyk.io
npm Is AWESOME
snyk.io
>350,000 packages
~6B downloads/month >65,000 publishers
npm usage Has Exploded
snyk.io
Your App
snyk.io
Your Code
Your App
snyk.io
JavaScript has Won
snyk.io
Each Dependency Is A Security Risk
snyk.io
Do You Know Which Dependencies
You Have?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it underwent any
Security Testing?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it has any
Known Vulnerabilities?
snyk.io
Open Source is written by People
snyk.io
Open Source is written by People
Strangers
snyk.io
snyk.io
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they are
Malicious?
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they’ve been
Compromised?
snyk.io
It’s a BIG ProblemWith no single, silver bullet solution
snyk.io
First Step: Known Vulnerabilites
snyk.io
~14% of npm Packages Carry Known Vulnerabilities
~83% of Snyk users found vulns in their apps
Source: Snyk data, Oct 2016
snyk.io
Software Supply ChainMandatory Josh Corman plug…
snyk.io
1. How do I protect myself?
snyk.io
1. How do I protect myself? 2. Can I learn from these vulns?
snyk.io
Live Hacking Begins…
snyk.io
JavaScript Takeaways• Consider all encodings
• Notably HTML & URL Encoding
• Better yet: Whitelist instead of Blacklist
• Prevent long algorithm runs • Control Regexp input lengths
• Don’t initialize Buffer with integers
• Beware JSON type manipulations
snyk.io
OSS Package Vulns are the new
Unpatched servers
snyk.io
Especially in Serverless/PaaS
https://snyk.io/blog/Serverless-Security-Vulnerabilities/
snyk.io
OSS packages takeaway• Find vulnerabilities
• Be sure to test ALL your applications
• Fix vulnerabilities • Upgrade when possible, patch when needed
• Prevent adding vulnerable module • Break the build, test in pull requests
• Respond quickly to new vulns • Track vuln DBs, or use Snyk! </shameless plug>
snyk.io
Not just Node/npmImpacts Open Source Packages, wherever they are
snyk.io
Open Source Is Awesome
snyk.io
Open Source Is AwesomePlease Enjoy Responsibly
Join the conversation #devseccon
Thank You!
Guy Podjarny, Snyk@guypod