Enterprise Node
Enterprise NodeSecuring Your environment
About me
Tech Lead @ MLS
Medium: @kurtiskempleTwitter: @kurtiskempleGitHub: @kkemple
Repo for this webinarkkemple/awesome-enterprise-web-service
Why is Securing Your Environment Important?
BenefitsProtects your company from potential threatsImproves
confidence in code and systemsHelps you meet legal/organizational
regulations
Securing Your Runtime
Node LTS VersionsOfficial Node.js long term support
versionsOffers a solid foundation to build apps on (No breaking
changes)Provides a maintenance window where critical bug fixes and
security fixes are only permitted commits
N | Solid - Enterprise RuntimeEnables deep performance insights
(one click flame graphs)CLI enabled for easy CI/CD integration and
automatic controlAdvanced console for analyzing your entire Node.js
infrastructureAlerting through threshold monitoring
N | Solid Overview
N | Solid Performance Flame Graph
ContainerizationBoxes up your application and all its
dependenciesProvides layer of abstraction from serverProvides
isolation from other applicationsImages can be checked for
vulnerabilities
quay.io
coreos/Clair
Aqua Peekr
Securing Your Dependencies
Whitelisting / blacklisting modulesBlacklisting: Allow use of
any public module except the ones on the listWhitelisting: Allow
use of only the public modules on the listGreat for meeting audit
and legal obligationsRequires a private registry (NPM Enterprise,
Sinopia, etc)
Node Security ProjectKeeps a database of all known node module
vulnerabilitiesOffers a CLI tool for easy CI/CD
integrationMaintained by the community and the best Node security
experts in the industry (Adam Baldwin)
NPM Shrinkwrap & ShrinkpackPrevent dependency regression
(unwanted dependency updates)Localize tarballs, no need to call to
NPM each time you need the module, this greatly speeds up builds as
well
Shrinkpack
Securing your applications
AuthenticationAuthentication: verify identity of
user/clientShould support JWT header and Basic AuthJWT: JSON Web
Tokens are an open, industry standard RFC 7519 method for
representing claims securely between two parties
JWT.io
auth.io/blog
AuthorizationAuthorization: verify permission of action by
user/clientUses Scopes to define permissionsRoles define a group of
ScopesScopes are set on endpoints for fine-grained control
Data ValidationPrevents dirty data from entering your
systemAllows you to define schemas that your documentation engines
can readProvides in code documentation on valid endpoint
parameters
Swagger Docs from Joi Schemas
HTTPS ALL THE THINGSEncrypts data sent over the internetPrevents
packet sniffing and man in the middle attacksGenerally terminated
at CDN layer (AWS Cloudfront, Cloudflare, Fastly, etc)HTTPS
internally provides better security but adds latency to
requests
Encrypting DataYou should ALWAYS encrypt sensitive information
(passwords, SSNs, credit card numbers, etc)Do some research on
encryption best practicesMake sure your encryption keys are
secret
Q&a
Enterprise Node.js - Code
Qualityhttps://www.crowdcast.io/e/enterprise-node-1Enterprise
Node.js - Code
Discoveryhttps://www.crowdcast.io/e/enterprise-node-2Enterprise
Node.js - Securing Your
Environmenthttps://www.crowdcast.io/e/enterprise-node-3Enterprise
Node.js - Deploying with
Dockerhttps://www.crowdcast.io/e/enterprise-node-431Enterprise
Node.js
JavaScript is replacing Java, Ruby, and .NET as the technology
of choice for companies that want to build enterprise software
faster, and with fewer resources. Learn about enterprise JavaScript
applications at every level of the stack. As well as how to secure,
integrate, test, store, monitor, and deploy them.OReilly Software
Architecture Conference
Architecting For Enterprise in Node.js
