Join the conversation #devseccon

Guy Podjarny, Snyk@guypod

Secure Node Code a.k.a. Stranger Danger

snyk.io

About Me• Guy Podjarny, @guypod on Twitter

• CEO & Co-founder at Snyk

• History: • Cyber Security part of Israel Defense Forces

• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)

• Security: Worked in Sanctum -> Watchfire -> IBM

• Performance: Founded Blaze -> CTO @Akamai

• O’Reilly author, speaker

snyk.io

Open Source Is AwesomeShare Your Work

Reuse What Others Built Focus on Creating Your Own New Thing

snyk.io

Open Source Usage Has Exploded

snyk.io

Open Source != SecureOpen Source != Insecure Either!

snyk.io

Heartbleed

snyk.io

Shellshock

snyk.io

Logjam

snyk.io

Attackers Are Targeting Open Source

One vulnerability, many victims

snyk.io

~30% of Docker Hub images carry

Known Vulnerabilities High Priority known vulnerabilites, to be exact

Source: BanyanOps Analysis

snyk.io

Docker Security

Ubuntu usn

Auto Sec Updates

Fedora yum security

Auto Sec Updates

snyk.io

That’s OSS Binaries.What about OSS Packages?

snyk.io

Just as Hacker-Friendly…1. Vulnerabilities already found, and found often 2. Used everywhere - Millions downloads/month, in many orgs 3. Hard to update, due to deps chains, breakage & scattered use

snyk.io

Let’s pick on Node

snyk.io

npm Is AWESOME

snyk.io

>350,000 packages

~6B downloads/month >65,000 publishers

npm usage Has Exploded

snyk.io

Your App

snyk.io

Your Code

Your App

snyk.io

JavaScript has Won

snyk.io

Each Dependency Is A Security Risk

snyk.io

Do You Know Which Dependencies

You Have?

snyk.io

Do you know, for EVERY SINGLE DEPENDENCY

if its developers have any

Security Expertise?

snyk.io

Do you know, for EVERY SINGLE DEPENDENCY

if it underwent any

Security Testing?

snyk.io

Do you know, for EVERY SINGLE DEPENDENCY

if it has any

Known Vulnerabilities?

snyk.io

Open Source is written by People

snyk.io

Open Source is written by People

Strangers

snyk.io

snyk.io

snyk.io

Do you know, for EVERY SINGLE CONTRIBUTOR

if they are

Malicious?

snyk.io

Do you know, for EVERY SINGLE CONTRIBUTOR

if they’ve been

Compromised?

snyk.io

It’s a BIG ProblemWith no single, silver bullet solution

snyk.io

First Step: Known Vulnerabilites

snyk.io

~14% of npm Packages Carry Known Vulnerabilities

~83% of Snyk users found vulns in their apps

Source: Snyk data, Oct 2016

snyk.io

Software Supply ChainMandatory Josh Corman plug…

snyk.io

1. How do I protect myself?

snyk.io

1. How do I protect myself? 2. Can I learn from these vulns?

snyk.io

Live Hacking Begins…

snyk.io

JavaScript Takeaways• Consider all encodings

• Notably HTML & URL Encoding

• Better yet: Whitelist instead of Blacklist

• Prevent long algorithm runs • Control Regexp input lengths

• Don’t initialize Buffer with integers

• Beware JSON type manipulations

snyk.io

OSS Package Vulns are the new

Unpatched servers

snyk.io

Especially in Serverless/PaaS

https://snyk.io/blog/Serverless-Security-Vulnerabilities/

snyk.io

OSS packages takeaway• Find vulnerabilities

• Be sure to test ALL your applications

• Fix vulnerabilities • Upgrade when possible, patch when needed

• Prevent adding vulnerable module • Break the build, test in pull requests

• Respond quickly to new vulns • Track vuln DBs, or use Snyk! </shameless plug>

snyk.io

Not just Node/npmImpacts Open Source Packages, wherever they are

snyk.io

Open Source Is Awesome

snyk.io

Open Source Is AwesomePlease Enjoy Responsibly

Join the conversation #devseccon

Thank You!

Guy Podjarny, Snyk@guypod