October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Writing secure Node code

Guy Podjarny (Snyk), Danny Grander (Snyk)
9:00am–12:30pm Monday, 10/31/2016
Tools and processes
Location: Rendezvous Trianon Level: Beginner
Average rating: ***..
(3.00, 1 rating)

Prerequisite knowledge

  • A basic understanding of JavaScript and Node

Materials or downloads needed in advance

  • A laptop with the Goof application cloned (Links will be available before the tutorial—you won't be required to run the tests and exploits locally.)

What you'll learn

  • Understand some security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop

Description

Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk you through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.

Guy and Danny will use (and abuse) a vulnerable Node.js application called Goof to demonstrate various common vulnerabilities and dependencies. For each item, Guy and Danny explain the issue, show an exploit on Goof, and, most importantly, demonstrate how to avoid or defend against it.

Photo of Guy Podjarny

Guy Podjarny

Snyk

Guy Podjarny is Snyk’s co-founder and CEO, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O’Reilly “Securing Open Source Libraries”, "Responsive & Fast” and “High Performance Images”.

Photo of Danny Grander

Danny Grander

Snyk

Danny Grander is a veteran security researcher and the cofounder of Snyk.io, where he works on open source security and leads Snyk’s security research. Previously, Danny was the CTO of Gita and a lead researcher and developer for a few startups. Danny’s CTF team, Pasten, won both the Chaos Computer Club and Google’s latest CTFs.

Comments on this page are now closed.

Comments

Picture of Guy Podjarny
11/02/2016 5:14am EDT

Slides are now posted: http://www.slideshare.net/guypod/secure-node-code-workshop-oreilly-security

For any further questions, ping us on @guypod, @grander or @snyksec

Charlemagne Santos
11/01/2016 10:01am EDT

Guy or Danny,

Do you have this session’s slides available online? If not, can you please send me a copy?

Thanks,
Charlie