A path towards securing every module

A path Towards

A path SECURING EVERY MODULE Towards

LETS TALK ABOUT These folks

Better CULTURAL REFERENCE

You Are Probably Thinking HOW DO I SECURITY?

SCIENCE CAT SAYS

SCIENCE CAT SAYS GOOD QUESTION

Sort of like... TRON?

Sort of like... TRON? HE FIGHTS FOR THE USER, RIGHT?

IT turns out.... IT IS QUITE COMPLICATED

FIRST OFF....

FIRST OFF.... DISCLOSE RESPONSIBLY!

LIKE TO THE GOOD FOLKS AT THE NODE SECURITY PROJECT

THE QUESTION IS HOW DO WE FIND THEM?

I LED AN ACADEMIC RESEARCH STUDY LAST YEAR

SHOW YOUR ALMA MATER SOME LOVE

SHOW YOUR ALMA MATER SOME LOVE AND YES

SHOW YOUR ALMA MATER SOME LOVE AND YES WE WROTE
A FORMAL RESEARCH PAPER AND EVERYTHING

ACADEMIC HCI IS A LITTLE SILLY

ACADEMIC HCI IS A LITTLE SILLY WHY DO LIKERT
SCALES HAVE A NAME?

YOUR RESEARCH STUDY PLEASE TELL ME ABOUT

WE ASKED A A QUESTION LIKE ALL RESEARCH

THEIR COMMUNITIES? MODULE AUTHORS HOW DO ANSWER QUESTIONS ABOUT

EIGHT PROLIFIC MODULE AUTHORS SMALL GROUP OF

USED MOST INFREQENTLY MOST EFFECTIVE THE FEEDBACK MECHANISMS

USED MOST INFREQENTLY MOST EFFECTIVE THE FEEDBACK MECHANISMS GITHUB
ISSUES WRITE A BLOG POST TWITTER DISCUSSIONS EMAIL A MAILING LIST

USED MOST INFREQENTLY MOST EFFECTIVE THE FEEDBACK MECHANISMS GITHUB
ISSUES WRITE A BLOG POST TWITTER DISCUSSIONS EMAIL A MAILING LIST HOW DO WE A QUESTION LIKE THIS? BUT ANSWER

BY USING OF COURSE

MULTI-DEMENSIONAL GRAPH REPRESENTS A

FROM NEW YORK I AM

FROM NEW YORK I AM AND SO IS

ABOUT WAS ALWAYS

AN ENGINEER BUT I AM ALSO

AN ENGINEER BUT I AM ALSO (3&".

AN ENGINEER BUT I AM ALSO GRAPHS RULE EVERYTHING AROUND
ME

AN ENGINEER BUT I AM ALSO GRAPHS RULE EVERYTHING AROUND
ME Dolla Dolla Bill Y all ’

GRAPHS NOT THESE KINDS OF

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E GRAPHS THESE KINDS OF

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E THESE GRAPHS DIFFERENT, OF COURSE ALL OF ARE

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE TRANSPORATION NETWORKS INFORMATION NETWORKS MOLECULAR CHEMISTRY WIRELESS NETWORKS MAJOR LEAGUE BASEBALL DEPENDENCY MANAGEMENT

A B C D E 1 2 3 4 5
A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE TRANSPORATION NETWORKS INFORMATION NETWORKS MOLECULAR CHEMISTRY WIRELESS NETWORKS MAJOR LEAGUE BASEBALL DEPENDENCY MANAGEMENT SOUNDS COMPLICATED FOR my tastes. DEPENDENCY GRAPHS? I dont know

HIPSTER CAT SAYS

HIPSTER CAT SAYS ACTUALLY, IT S NOT SO BAD “
” ’

WITH A PACKAGE.JSON FILE { "name": "pkg-a", "dependencies": {
"pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }

WITH A PACKAGE.JSON FILE na { "name": "pkg-a", "dependencies":
{ "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }

WITH A PACKAGE.JSON FILE nb nc nd na {
"name": "pkg-a", "dependencies": { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }

WITH A PACKAGE.JSON FILE nb nc nd na Now
imagine this for 100,000+ packages! { "name": "pkg-a", "dependencies": { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }

ONLINE WITH VIDEOS THESE TALKS ARE ALL ALREADY

5 5 DR. EMMETT OCTOCAT SAYS YOU VE GOT TO
COME BACK WITH ME. BACK TO GITHUB! ’ “ ”

5 5 DR. EMMETT OCTOCAT SAYS YOU VE GOT TO
COME BACK WITH ME. BACK TO GITHUB! ’ “ ” indexzero/npm-codependencies indexzero/npm-comp-stat-www indexzero/npm-static-stats indexzero/npm-pipeline

QUESTIONS THE GRAPH? WHAT OTHER CAN WE ASK FROM

THESE QUESTIONS WHETHER YOU KNOW IT OR NOT YOU PROBABLY
ASK EVERYDAY

NPM OUTDATED IS A PURE GRAPH QUESTION

DEPEND ON WHAT OTHER MODULES? WHO DEPEND ON X ALSO
PEOPLE

USED MORE IN PRODUCTION OR IN DEVELOPMENT? ALSO IS THIS
MODULE

THIS MODULE? “ ” MOST STABLE Version OF WHAT IS
THE

STATIC ANALYSIS OTHER QUESTIONS NEED TO BE ANSWERED

A PARTICULAR METHOD? DO OTHER MODULES USE HOW OFTEN

VERSION X.y.Z SAFELY? BE UPGRADED TO USE CAN MY APP

SO Getting BACK TO SECURITY QUESTIONS

SHELLSHOCK? ARE VULNERABLE TO HOW MANY MODULES

UNSAFE REGULAR EXPRESSIONS? OF THESE MODULES HAVE How many

UNTRUSTED USER INPUT? MODULES EVAL WHICH

COMPUTE INTENSIVE BUT IT IS INCREDIBLY

COMPUTE INTENSIVE BUT IT IS INCREDIBLY WHICH IS TO SAY

PRETTY $&#@ SLOW COMPUTE INTENSIVE BUT IT IS INCREDIBLY WHICH
IS TO SAY

NPM OUTDATED IS REALLY FAST. EVERY DAY THAT S HOW
YOU CAN USE IT ’

YO DAWG I HEARD YOU LIKE NPM BY USING OF
COURSE

YO DAWG I HEARD YOU LIKE NPM BY USING OF
COURSE ALONG WITH DATA PIPELINE A

A B C D E F A B C D
E F G H DEPENDENCY GRAPH AST COMPUTATION DOWNLOAD & UnTAR

A B C D E F A B C D
E F G H DEPENDENCY GRAPH AST COMPUTATION DOWNLOAD & UnTAR DATA PIPELINE ANALYSIS WORK MODULES THE SET OF AND THE SPECIFIC CHANGES BUT, THE Stays the same DATA PIPELINE MAKING IT HIGHLY PARALLELIZABLE

ESPRIMA + RECAST + npm + Data pipeline
= npm-pipeline

GENERIC WORK TO PERFORM GENERIC MODULE AND A

TENS OF SECONDS FROM TENS of Minutes TO ANALYSIS TIME
DOWN

QUESTIONS THE GRAPH? WHAT OTHER DO YOU HAVE FOR

THANKS {github, twitter}.com/indexzero [email protected]

A path towards securing every module

A path towards securing every module

More Decks by Charlie Robbins

Other Decks in Technology

Featured

Transcript