Keeping JavaScript safe

Transcript

1. keeping javascript safe

2. keeping javascript safe security & the npm registry

3. C J Silverio CTO @ npm, @ceejbot

4. using node since 2011 node has grown up!

5. running npm's registry since 2014 npm has grown up too!

6. the story of the npm registry mirrors the story of

   node

7. npm is infrastructure for millions of developers

8. npm dependably serves node packages 24/7 around the world

9. Fortune 100 companies depend on npm & node

10. 3 billion downloads/week 9 million users 156K package authors (1.7%)

11. npm has as many users as the New York City

12. it didn't start that way

13. in 2009, node & npm's users knew each other by

    name

14. the npm registry is now too large to depend on

    community policing

15. but you need that policing

16. you rely on the packages you install

17. questions you ask 1. Is the registry secure? 2. Does

    this package have vulnerabilities? 3. Is this package malware? 4. Who published this package?

18. 1. Is the registry secure?

19. What does secure mean? registry systems can't be broken into

    data can't be tampered with

20. we don't try to do this alone ongoing contract with

    ^Li!

21. this guy, Adam Baldwin (he'll come up again) & his

    colleagues

22. periodic pen testing ongoing code reviews

23. good security practices are on-going work

24. 2. Does this package have vulnerabilities?

25. our friends at ^Li! again as the Node Security Platform

26. NSP reviews popular packages, reports vulnerabilities, & handles reports

27. h!ps://nodesecurity.io

28. early access NSP data is integrated into npm enterprise

29. newsflash! npm is a company that sells services!

30. npm enterprise is a registry inside your firewall

31. NSP keeps us informed we keep them informed in turn

32. 3. Is this package malware?

33. malware doesn't advertise

34. malware comes in flavors: spam & poison

35. spammers found the registry in 2016

36. two kinds of spam: spam content & js spam support

37. npm + cdns built on top == trivial hosting for

    GA clickjacking

38. now using machine learning to catch spam thanks to the

    Smyte service

39. spam speedbumps: validated email to publish disallow throwaway addresses

40. we seem to have made a dent but this war

    will never end

41. poison-flavored malware: typosqua!ing

42. publishing packages with names that are very close to real

    names

43. Historically this was competitive: authors would try to steal traffic

    to pump their download numbers

44. somebody typosqua!ed moment.js with another date-forma!ing package

45. also accidental JSONStream vs jsonstream

46. recently it's been nefarious: typosquat of cross-env as crossenv with

    a env var stealer

47. typosquat of bluebird wrapping bluebird with a cryptocoin miner

48. Adam Baldwin typosqua!ed coffee-script early on

49. it took days for the community to notice

50. now it takes weeks if the community notices at all

51. as spiderman said, with great popularity comes great annoyance

52. automated similarity checker

53. None

54. this war will never end so long as there is

    $ to be made

55. 4. Who published this package?

56. What happens if somebody steals JDD's auth token & posts

    malware as lodash?

57. Well, that's scary. npm auth tokens are sensitive.

58. new! tools in the npm cli to help you control

    auth tokens

59. new command: npm token control your auth tokens

60. npm token create --readonly

61. read-only auth tokens the principle of least power

62. give your CI system a read-only token

63. npm token create --cidr=[10.0.0.1/32]

64. CIDR-bound tokens bind tokens to IP ranges

65. further limit your tokens by controlling where they can be

    used

66. npm token list npm token delete <tokenKey>

67. None

68. new command: npm profile

69. set your profile data like your email or ...

70. None

71. well that's boring

72. None

73. that's not boring

74. npm profile enable-2fa two-factor authentication is here

75. require regular password plus a one-time password

76. npm profile enable-2fa auth-only

77. auth-only: any time you log in or manipulate tokens

78. npm profile enable-2fa auth-and-writes

79. None

80. writes: your package publications pass the --otp flag

81. npm publish --otp=123456 pass it on the command line!

82. use a TOTP code generation app Google Authenticator, Authy, etc

83. npm install -g npm@next try it now!

84. code: github.com/npm/npm-profile api docs: github.com/npm/registry

85. one more thing

86. coming a!raction! protect a package with 2FA

87. require an OTP any time that package is published by

    anybody

88. protect packages with many maintainers next cli minor release 5.6.0

89. coming soon! 2fa for your npm organization

90. coming soon! npm ci 3x speed for your CI installs

91. but what about package signing? we think we've figured out

    how

92. coming soon! even more

93. questions? help se!ing this up? come see me & puppies

    at the npm booth

94. npm wants you to develop in confidence

95. npm loves you