Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keeping JavaScript safe
Search
C J Silverio
October 04, 2017
Programming
3
400
Keeping JavaScript safe
Security & the npm registry. Presented at Node Interactive 2017 in Vancouver.
C J Silverio
October 04, 2017
Tweet
Share
More Decks by C J Silverio
See All by C J Silverio
The economics of package management
ceejbot
4
1.5k
The future of (javascript) modules (in node)
ceejbot
1
270
ceej's how to solve it
ceejbot
6
760
work-life balance at npm
ceejbot
5
780
hash functions and you!
ceejbot
2
340
The accidental noder
ceejbot
2
140
Design Patterns & Modularity in the npm Registry
ceejbot
3
180
Monitoring on a budget
ceejbot
2
280
Cheating Gall's Law: MediterraneaJS edition
ceejbot
4
320
Other Decks in Programming
See All in Programming
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.3k
Synchronizationを支える技術
s_shimotori
1
150
デプロイを任されたので、教わった通りにデプロイしたら障害になった件 ~俺のやらかしを越えてゆけ~
techouse
52
32k
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.6k
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.2k
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
5
3.6k
macOS でできる リアルタイム動画像処理
biacco42
6
1.7k
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
500
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
現場で役立つモデリング 超入門
masuda220
PRO
12
2.9k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
830
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Rails Girls Zürich Keynote
gr2m
93
13k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Git: the NoSQL Database
bkeepers
PRO
425
64k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
Optimizing for Happiness
mojombo
376
69k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
How GitHub (no longer) Works
holman
311
140k
Transcript
keeping javascript safe
keeping javascript safe security & the npm registry
C J Silverio CTO @ npm, @ceejbot
using node since 2011 node has grown up!
running npm's registry since 2014 npm has grown up too!
the story of the npm registry mirrors the story of
node
npm is infrastructure for millions of developers
npm dependably serves node packages 24/7 around the world
Fortune 100 companies depend on npm & node
3 billion downloads/week 9 million users 156K package authors (1.7%)
npm has as many users as the New York City
it didn't start that way
in 2009, node & npm's users knew each other by
name
the npm registry is now too large to depend on
community policing
but you need that policing
you rely on the packages you install
questions you ask 1. Is the registry secure? 2. Does
this package have vulnerabilities? 3. Is this package malware? 4. Who published this package?
1. Is the registry secure?
What does secure mean? registry systems can't be broken into
data can't be tampered with
we don't try to do this alone ongoing contract with
^Li!
this guy, Adam Baldwin (he'll come up again) & his
colleagues
periodic pen testing ongoing code reviews
good security practices are on-going work
2. Does this package have vulnerabilities?
our friends at ^Li! again as the Node Security Platform
NSP reviews popular packages, reports vulnerabilities, & handles reports
h!ps://nodesecurity.io
early access NSP data is integrated into npm enterprise
newsflash! npm is a company that sells services!
npm enterprise is a registry inside your firewall
NSP keeps us informed we keep them informed in turn
3. Is this package malware?
malware doesn't advertise
malware comes in flavors: spam & poison
spammers found the registry in 2016
two kinds of spam: spam content & js spam support
npm + cdns built on top == trivial hosting for
GA clickjacking
now using machine learning to catch spam thanks to the
Smyte service
spam speedbumps: validated email to publish disallow throwaway addresses
we seem to have made a dent but this war
will never end
poison-flavored malware: typosqua!ing
publishing packages with names that are very close to real
names
Historically this was competitive: authors would try to steal traffic
to pump their download numbers
somebody typosqua!ed moment.js with another date-forma!ing package
also accidental JSONStream vs jsonstream
recently it's been nefarious: typosquat of cross-env as crossenv with
a env var stealer
typosquat of bluebird wrapping bluebird with a cryptocoin miner
Adam Baldwin typosqua!ed coffee-script early on
it took days for the community to notice
now it takes weeks if the community notices at all
as spiderman said, with great popularity comes great annoyance
automated similarity checker
None
this war will never end so long as there is
$ to be made
4. Who published this package?
What happens if somebody steals JDD's auth token & posts
malware as lodash?
Well, that's scary. npm auth tokens are sensitive.
new! tools in the npm cli to help you control
auth tokens
new command: npm token control your auth tokens
npm token create --readonly
read-only auth tokens the principle of least power
give your CI system a read-only token
npm token create --cidr=[10.0.0.1/32]
CIDR-bound tokens bind tokens to IP ranges
further limit your tokens by controlling where they can be
used
npm token list npm token delete <tokenKey>
None
new command: npm profile
set your profile data like your email or ...
None
well that's boring
None
that's not boring
npm profile enable-2fa two-factor authentication is here
require regular password plus a one-time password
npm profile enable-2fa auth-only
auth-only: any time you log in or manipulate tokens
npm profile enable-2fa auth-and-writes
None
writes: your package publications pass the --otp flag
npm publish --otp=123456 pass it on the command line!
use a TOTP code generation app Google Authenticator, Authy, etc
npm install -g npm@next try it now!
code: github.com/npm/npm-profile api docs: github.com/npm/registry
one more thing
coming a!raction! protect a package with 2FA
require an OTP any time that package is published by
anybody
protect packages with many maintainers next cli minor release 5.6.0
coming soon! 2fa for your npm organization
coming soon! npm ci 3x speed for your CI installs
but what about package signing? we think we've figured out
how
coming soon! even more
questions? help se!ing this up? come see me & puppies
at the npm booth
npm wants you to develop in confidence
npm loves you