Securing your nodejs deployments while you sleep
Submitted by Ahamed Nafeez (@skepticfx) on Sunday, 10 August 2014
Developers push code at a much faster rate, that your security engineers don’t have enough time to take a look at them. Most of the vulnerabilites like XSS & CSRF comes in to existence when developers try to bring the next uber feature live, by not giving much attention to security or one of them is simply not aware of writing secure code. It has been a problem which is worrying most of the startups and organizations recently. In spite of having a secure framework which inherently takes care of most common security issues, it becomes a nightmare for security engineers / testers to take a look at every code commit for a vulnerability in their code. This talk is about automating the process of finding insecure code pushes for Nodejs deployments.
This talk would answer the questions faced when trying to automate the security process for code pushes in continous integration deployments. I would go through the problems, taking each class of vulnerability at a time and talk about how one can try to do find their occurance at commit level.
Cross-Site Scripting- Depending up on the templating engine you use( ejs, jade etc), one can find it if a developer tries to output an unencoded user input. Like,
<%- req.query.input %>. We would go through the scenarios of how someone can overcome the false-positives and increase detection rate with success.
How about CSRF? Can we detect if someone tries to slip in a GET request route, for an action which does state level changes in the database?
How about framework specific vulnerabilites? What if someone deliberately uses ExpressJS’ bodyParser, which is supposed to cause a Denial-of-Service to the target system?
We would also go through more Nodejs / Express / Connect specific use cases and how to look for the gotchas before an attacker on the internet takes a look at them.
Basic understanding of nodejs web frameworks.
I work as a product security engineer. I’m heavily inspired by software security and believe that building & defending is a step ahead of attacking things. Security engineering should drive development and make them ship more, not block them. Analyzing the security of software products is fun and challenging, as it involves a thorough understanding of the various technologies being used. I have an above average interest in web applications and computer networks.
I’ve been a speaker at a few security conferences,
Hack In The Box, Amsterdam