NodeFly Buzz: The Node Security Project

“Why Node.js?” is a very valid question. We answer by showing off cool products, pages or projects that use Node.js in our “NodeFly Buzz” every two weeks.

This time around, we are looking at The Node Security Project. This project asks: “We believe that the node.js core is well audited, but what about the modules on npm?”

To ponder this question more fully, we spoke with Adam Baldwin. Read his bio before you react to the name. Here’s what he had to say about himself.

“I’m the team lead at Lift Security where I get to hack web apps and the CSO at &yet where I get to help an amazing team of developers build web apps (yes it’s a bit jekyll and hyde and I love it). The rest of my time is spent being a husband, father, and correcting people that think I starred in Firefly and Chuck.”

image

Ready? Let’s talk about the Node Security Project.

NodeFly: Can you tell us about the Node Security Project?

Adam Baldwin: The node security project is an ambitious (some might say impossible) project to assess the security of the modules published on npm. A lot of security projects stop at “let’s find all the vulns.” I really want this to be a positive experience with getting vulnerabilities fixed, enable developers to know when they are using a module that may introduce vulns in their environment and most of all help educate node.js developers about various security topics.

NodeFly: You want to audit every single module in npm. Can you explain how you developed this goal?

Adam Baldwin: As the CSO at &yet it’s part of my job to think about ways in which the software we build can get compromised. We trust a lot of third party code. I could have stopped there and just audited what we use, but I wanted to have a bigger impact on the community.

NodeFly: You are quite open on your web page, telling everyone “we need your help”. Can you put your goal into perspective? How many man-hours might this take?

Adam Baldwin: Specifically we need the help of security researchers to validate vulnerabilities and we need the help of developers to write patches for projects that have been long abandoned or the project needs help fixing the bug. This isn’t a point, laugh and move on security initiative, we really want to make things better.

Also at the time of writing this there are 28,254 modules and that number is growing fast. There is just no way one person can audit this much code. It has to be a community effort.

Another way to look at this is the fact that it will never be done. Security just doesn’t work that way. It’s a continual process of building, assessing, improving and so on.

NodeFly: Have you audited any of the modules yet? Can you share any details about the initial results?

Adam Baldwin: We are taking a bit of a different approach and we aren’t auditing one module after another for all the things. We are looking at a specific pattern across the entire module base. This way we can refine that pattern and apply it to new modules and updated modules in a more automated fashion to try and keep up.

The auditors are currently working through the first initiative, child_process.exec. Which if used improperly can allow for command injection. At last count we have found 9 vulnerabilities. In one day.

NodeFly: How important is this project to the growth and future of Node.js?

Adam Baldwin: I can see this project helping with enterprise adoption. If we find a lot of things, we get a lot of bugs fixed, if we don’t find much, one might attribute that to the level of code being produced by the node.js community. Another is to empower developers to know if a module they are using contains a known problem. This isn’t about creating trusted modules, just that we have looked for certain things and hopefully empower developers.

NodeFly: What’s the initial interest in this project been like?

Adam Baldwin: Amazing. Both from the node core community and from security researchers. I’m very grateful.

NodeFly: Why the focus on Node.js? Could this have been directed at any language?

Adam Baldwin: I enjoy node.js so I wanted to give back in a way that I’m skilled at. It’s a fairly new community and with javascript making it easy for front-end developers to move into the backend, I want a lot of the mistakes we have leaned in other languages to not happen again if we can help it.

NodeFly: Besides the security project, is there anything else Node.js-related that you are working on?

Adam Baldwin: I maintain the helmet project, an express middleware for security headers with secure defaults. I also help with development and security on And Bang, a team samepagification app built on node and redis.

NodeFly: Thanks for discussing this important project with us. We look forward to watching its progress!

If you would like to learn more about the Node Security Project, check out the web site at http://nodesecurity.io/ or write at contact@liftsecurity.io


Do you know all about a Node.js project or a company that makes Node.js shine? If so, email us at feedback@nodefly.com so we can share!