The Node.js Security Ecosystem

The Node.js Security Ecosystem

Jun 1, 2023

Chaptering and links to content

00:00 - Cloud Security Lounge

04:15 - Introduction - what is node.js and what we'll be doing today

06:26 - Level setting by Michael - why is this important?

07:15 - Are we talking about JS in a headless browser?

08:15 - Frontend to backend - is node.js the continuum?

09:40 - The difference in mindset between frontend and backend - security-wise

12:24 - Node.js has had security as a core value since the beginning

13:30 - Node.js publishes its threat model as a triage step for security vulnerability reports

14:05 - There's no easy way to triage and consume security vulnerability reports

16:30 - The trust boundaries of node.js

17:33 - Best practices document supplements the threat model by suggesting mitigations for common vulnerable patterns

18:25 - OSSF Criticality Score and Scorecard

21:15 - Vulnerabilities that are NOT 3rd party - what's the fix process?

24:30 - The personas behind the fixing process - Fixers and Releasers

24:58 - Bug Bounty!

25:58 - Security Stewards

28:00 - Things that didn't work in the process of fixing issues and creating releases

32:00 - How to join the effort and help out

34:50 - You don't need to be a Node expert to help

35:00 - Third Party Risk and Supply Chain Security

39:45 - How Node looks at the future of supply chain issues

45:00 - Guarddog Demo

49:00 - Adding tooling to your CI/CD to elevate assurance

52:40 - Upcoming - the permission model of node.js - one more layer of control

57:16 - In closing and Call To Action