►
From YouTube: Node Security Project - Adam Baldwin @ LXJS
Description
This talk will introduce the nodesecurity.io project, it's goals, current results in hopes of inspiring involvement and receiving feedback directly from the node community!
Recorded on 2013-10-02
A
Those
lights
are
crazy,
bright,
alright,
so
before
I
get
started,
I
definitely
want
to
thank
David
on
everyone
from
the
Alex
Jas
crew.
For
an
amazing
event.
Obviously,
a
developer
focused
event
inviting
a
security
talk,
I,
absolutely
love
it
and
appreciate
it
very
much.
I've
gotten
have
lots
of
talks
with
other
attendees
on
security
topics,
and
it's
been
just
a
fantastic
conversation.
So
hey
everyone,
I'm
Adam
Baldwin.
A
You
can
find
me
on
twitter
at
underscore
Baldwin
or
evil
packet
on
github
I
am
the
chief
security
officer
at
and
yet
where
I
get
to
work
on,
basically
securing
some
pretty
awesome
products
like
talky,
IO,
dot,
IO
and
an
Bang
and
I.
Am
the
team
lead
at
lyft
security,
where
I
get
to
help
developer
teams,
basically
improve
their
security.
A
Posture
audit
web
apps
and
things
like
that
and
the
reason
I'm
standing
here
today
is
that
I'm,
the
founder
and
organizer
of
the
node
security
project
and
I'm,
basically,
a
self-appointed
cheerleader
of
security
in
the
the
node
community.
Right
I,
absolutely
love
this.
This
community,
you
guys
are
fantastic.
A
This
talk
might
have
been
better
titled,
the
random
sort
of
babblings
of
a
guy,
that's
on
security
for
far
too
long,
and
that's
a
TD,
so
hopefully
I'll
keep
on
track
in
and
stay
focused.
Most
of
the
goals
of
my
talks
are
not
necessarily
to
disseminate
technical
security
knowledge.
It's
usually
I'm,
usually
presenting
to
get
you
to
think
a
little
bit
differently
in
to
think
critically
how
you're
doing
security
within
you're
in
development.
A
Imagine
how
cool
it
would
be
if
NPM
could,
when
you
do
npm
install
on
a
package,
if
it
could
tell
you
if
a
module
that
it's
that
you're
using
has
a
known
security
flaw
on
it
or
a
dependency
of
a
dependency
of
a
dependency,
has
a
flaw.
It
would
be
freaking,
amazing,
so
I
get.
This
question
asked
me
a
lot.
Why
was
the
node
security
project
started
and.
A
Back
at
and
yet
we
used
to
be
a
Django
shop
and,
as
we
were
transitioning
to
be
basically
to
node
and
started
to
build
and
bang
I
had
to
think
about
the
impacts.
What
were
the
security
impacts
going
to
be?
What
would
we
face
as
we
built
our
products?
We
had
control
over
the
code
that
we
produced
in-house.
A
We
could
do
things
to
make
our
code
better.
We
could
do
pre-commit
hooks
for
linting.
We
had
pull
requests
for
peer
review
peer
peer,
pull
requests
are
a
really
great
way
to
disseminate
knowledge
and
we
think
of
them
oftentimes
as
chores,
but
you
can
really
take
that
as
an
opportunity,
especially
if
you're
the
person
on
your
team.
That
knows
about
a
security
issue
to
spread
that
knowledge
through
that
flow
request.
It's
it's
an
education
channel.
A
It's
really
really
effective,
that's
one
of
the
ways
that
we've
managed
to
spread
security,
values
and
education
through
our
organization
and
and
yet,
and
that's
one
thing
that
we
do
have
control
over
there
as
well
things
we
didn't
have
control
over.
We
didn't
have
control
of
other
people's
code
or
the
delivery
system
NP,
and
while
it
can
be
argued
that
their
open
source
right
I
can
send
a
pull
request.
I
could
file
an
issue.
We
all
know
where
that
goes,
but
requests
go
unmerged.
They
sit
there.
A
It's
just
not
the
same
as
having
having
that
control.
Internally
and
I
had
quite
high
confidence
in
node
core
that
it
was
small
enough
to
be
kept.
Sort
of
under
a
watchful
eye
in
issues
will
crop
up,
but
userland
NPM
was
growing
at
an
insane
rate.
I
think
model
count
says
it's
like
99
modules
per
day
or
something
over
the
last
week,
which
is
just
crazy,
and
it's
not
that
I
entrust
other
developers.
A
You
didn't
trust
them.
It's
just
that
we're
people
we
make
mistakes,
there's
a
very
sort
of
low
barrier
to
entry
and
getting
into
an
into
node.
At
that
time
it
still
is
and
you're
getting
a
lot
of
a
lot
of
developers
that
were
used
to
working
in
the
front
end.
They're
now
writing
server
code.
They
don't
initially
the
landscapes
completely
different.
A
There's
different
security
issues
to
deal
with
in
one
side
than
the
other,
so
when
we
started
thinking
about
or
when
I
start
thinking
about
this
it,
let's
sort
of
the
discovery
initially,
that
the
the
registry
passwords
ampion
passwords
were
the
hashes
were
exposed
and
a
lot
of
the
passwords
were
easily
crackable
for
character
passwords.
All
that
work
was
guarding
me
publishing
to
your
module
and
uploading
whatever
I
wanted.
So
take
that
as
note
one,
if
you're
using
a
really
horrible
password
I,
know
Pam
update
it
please
and
then,
and
then
we
got
that
was
good.
A
A
A
A
So
anyway,
module
said
you
know
where
there
wasn't
weather,
where
there
wasn't
models
getting
back
to
the
point
of
there's
sort
of
green
pastures
and
people
were
sort
of
it's
a
low
barrier
to
entry.
We
module
just
pop
up.
There
wasn't
a
module
to
do
X
or
Y
or
Z,
so
one
module
two
modules.
Ten
modules
pop
up
to
do
said
sing
and
you
know.
Maybe
it
wasn't
then
weren't
the
right
people
to
write
the
code,
but
they
needed
that.
A
That
thing
there
to
do
that,
and
which
is
interesting,
though,
that
we
sort
of
just
blindly
install
these
modules
from
NPM.
We
say
it
does
a
thing,
so
we
install
it.
We
even
even
installed
modules
that
are
built
into
core.
So
let's
talk
about
some
new
research
that
I've
done.
That
I've
only
talked
a
little
bit
publicly
about
and
it's
still
a
problem.
This
is
still
technically
an
issue
in
that's
out
there
I'm
presenting
it
to
the
community,
because
it's
a
community
and
preemptive
community
thing
it
needs
to
be
solved
by
the
community.
A
We
there's
plenty
of
people
here
that
could
contribute
to
fixing
this
issue.
Npm
install
all
the
things
that
is
not
a
typo,
at
least
by
accident.
It's
on
purpose,
so
I
got
to
the
point
where
I
wanted
to
research.
If
we
were
making
a
mistake
between
basically
as
humans
installing
modules,
what
were
common
typos,
were
these
modules
being
installed
from
the
registry?
A
Would
you
normally
do
this?
Do
you
think
anybody
does
this
NPM
install
FS
most
people
would
say:
no,
that's
a
silly
thing
to
do.
It's
built
into
node
core
or
this
NPM
cell
HTTP,
or
how
about
this
VM
cell
socket
IO.
It's
actually
supposed
to
be
a
dot
in
there,
you'll
get
a
404
for
every
single
one
of
those.
They
don't
actually
exist
right
now,
but
they
could
be
published
and
they
may
not
be
the
module
or
the
intended
behavior
that
you
want.
It
could
be
a
malicious
module.
A
A
If
people
did
these
things,
I
got
the
logs
from
the
NPM
project
and
over
about
a
period
three
quarters
of
a
year,
15,000
people
tried
to
install
FS
yeah
a
lot
of
people.
Http
was
also
high
on
the
list.
Those
modules
still
don't
exist,
however.
It's
becoming
sort
of
like
there
were
these
modules
published
just
a
little
while
ago,
a
couple
days
ago
and
I
notice
they
got
taken
down.
Somebody
basically
was
just
trolling
the
registry
by
publishing
some
of
these
things
out
there.
That
did
nothing.
A
Just
module
exports,
nothing,
but
those
actually
got
taken
down.
So
it
is
a
problem.
I
published
CoffeeScript,
not
coffee
script,
but
CoffeeScript
and
I
got
200
downloads
in
a
week
in
the
module
did
nothing
had
it
mimic
the
behavior
of
actual
CoffeeScript.
It
might
have
gone
unnoticed
a
lot
longer,
so
I'm,
not
sure
self
policing
is
in
the
communities
enough,
but
I
I
really
just
want
to
get
that
out
there
to
get
the
dialogue
going
about
this
problem
conclusions.
I
had
were
core
modules.
Basically
shouldn't
be
this:
it
shouldn't
be
allowed
in
NPM
right.
A
We
should
have
some
block
there
or
something
or
some
placeholder
I,
don't
know.
There's
the
court
core
is
important
to
keep
keep
the
integrity
there.
A
punctuation
is
hard
modules
that
have
punctuation
them
are
more
often
to
be
you're
gonna
install
a
wrong
module.
So
basically
we
need
to
be
sure
that
we're
installing
the
proper
things-
that's
that's
one
of
the
that
I
got
out
of
it.
That's
if
I
want
to
own
a
note
app
one
of
your
note.
Apps
one
of
your
developers.
A
A
We
also
need
a
way
to
sort
of
manage
integrity
on
NPM
and
prove
that
we're
installing
packages
that
might
be
package
signing
follow.
Eye
drinks
has
some
ideas
on
package
signing
that
that
might
be
effective.
It
might
solve
some
issues,
so
combine
sort
of
back
on
the
why
that
was
just
kind
of
an
aside
of
one
of
these
compounding
reasons
of
of
why
we
started
so
combine
all
of
those
sort
of
affirmations
things
with
the
fact
that
the
same
vulnerabilities
and
security
principles
have
you
know
on
authentication
and
authorization
input,
sanitization
code
versus
data
separation.
A
Wait
they're
not
going
to
go
away
the
these
these
problems,
these
same
principles
exist,
and
we
need
to
basically
the
definition
of
crazy
is
we
we
do
the
same
thing
over
and
over
again
expect
different
results
right.
We
can't
continue
to
do
the
same
thing
over
and
over
again
and
our
development
habits
and
our
the
way
we
build
software
and
expect
more
secure
software.
We
just
can't
so
we
have
to
something
has
to
change.
A
We
have
to
stop
traversing
this
mobius
strip
and
we
have
to
we
have
to
get
off,
and
that
was
that
was
where
I
was
at
and
in
sort
of
why
I
was
starting
the
node
security
project.
Something
had
to
change.
Let's
try
something
crazy.
You
know
it's
bridge
the
development
and
security
communities
and
try
to
think
more
positively
and
actually
influence
the
community
as
a
whole
to
build
more
secure
software.
A
As
an
aside
I
have
a
note
here,
that's
basically
to
say
how
much
I
love
this
community,
the
JavaScript
community,
the
node
community
for
having
such
for
the
most
part,
a
positive
outlook,
embracing
security,
embracing
talks
at
conferences
embracing
just
doing
things
differently
than
other
communities
that
may
have
a
little
more
negativity
surrounding
them
so
kind
of
on
to
the
house.
This
is
a
second
question.
I
get
asked
a
lot
for
the
node
security
project
and
after
the
launch,
I
sort
of.
A
Went
oh,
how
am
I
gonna
do
this
I
just
said:
I
was
gonna
audit,
all
the
modules
in
NPM.
Now
what
right?
That's
a
lot
of
things
and
growing
at
a
really
fast
rate.
Well,
it
turns
out
sort
of
the
answer
was
right
in
front
of
me
and
I
learned
this
lesson:
transitioning
from
owning
a
pet
security
consultancy
to
B
being
the
CSO,
apparently
I
just
break
things
wherever
I
go
so
I
as
I
became.
This
is
the
CSO,
and
yet
I
got
this
new.
A
This
network
for
India
four
years
or
with
and
yet
and
I
got
this
new
opportunity
to
just
sort
of
I
was
like
I'm.
Internal
I
can
affect
change,
things
will
just
happen
and
we
can
just
change
all
of
the
things
right
secure.
All
the
things
make
policies
make
developers
do
this
and
this
and
this
and
this
and
it
didn't
work
and
I
had
to
I,
had
to
realize
that
you
can't
just
do
that.
A
You
can't
change
all
the
things
or
do
all
of
the
things
all
the
time
when
it
comes
to
security
or
pretty
much
anything
you
have
to
just.
You
have
to
do
incremental
achievements.
You
have
to
look
where
you're
at
and
say
you
know.
This
is
a
thing
we
do
over
and
over
again
and
we
do
it
poorly.
We
see
this
pattern.
Let's
figure
out
how
to
make
that
go
away,
let's
figure
out
to
get
better
and
so
distilled
down
to
two
words:
it's
just
basically
do
better.
That's
you
take
nothing
away
from
this
talk.
A
That's
the
measure
increment
do
better.
That's
their
salt
and
the
reason
that
is
is
because
security
is
not
a
solvable
problem.
You
can't
you
can't
be
a
hundred
percent
secure.
It's
just
not
gonna
happen.
So
once
you
realize
that
and
embrace
that
you're
going
to
basically
realize
that
you
have
to
approach
it.
That
way,
you
know
similar
to
we're
doing
the
old
security
community,
know
security
project
similar
to
sort
of
how
the
pyramids
were
built.
You
know
with
a
bunch
of
people
in
the
community
one
block
at
a
time
we're
gonna
do
basically
we're
gonna.
A
Do
it
based
on
initiatives
so
we're
gonna
pick
one
particular
security
vulnerability.
One
particular
pattern:
we're
gonna
focus
on
it.
We're
gonna
audit
it
across
the
codebase.
We're
gonna
happen,
we're
gonna,
automate
that
and
I'll
go
into
our
process
a
little
later
and
then
we're
gonna
ratchet
up.
So
once
that
sort
of
gone
and
being
checked
we're
going
on
to
the
next
thing
and
the
next
thing
it
has
more
people
get
involved,
we
can,
we
can
do
those
faster,
but
we're
a
small
team,
we're
actually
an
amazing
team.
This
is
our
contributor.
A
This
is
our
contributor
page,
basically
on
the
note,
security
I/o
site
and
there's
a
lot
more
people
that
are
listed
there,
because
it's
basically
got
a
bug
and
it
doesn't
show
everybody.
But
it's
you
know
some
of
those
people,
Steven
Ilia
and
Wes.
On
the
top
row,
there
have
been
instrumental
in
creating
some
of
our
tools
and
our
initial
version,
which
is
going
to
change
and
they're
going
to
they're
part
of
the
core.
That's
going
to
be
accepting
code
contributions
and
stuff.
A
Now,
we've
also
had
a
lot
of
community
advisor
Michael's
Rogers
Nathan
defender
from
the
India
team.
Daniel
shall
have
been
great
advisors,
they're,
also
not
really
lists
of
their
but
I
realized
after
I
got
going,
and
we
did
all
this.
That
I
did
it
wrong.
So
there's
some
incremental
things
that
we're
gonna
do
it
at
the
node
security
project
as
well
and
I
had
a
really
I
had
a
problem
and
I
solved
it
wrong.
Basically,
the
problem
was
I.
A
Don't
want
people
that
I,
don't
trust
coming
and
signing
up
for
this
mailing
list,
this
private
mailing
list
and
basically
coming
from
the
free
Oh
days
right,
I
didn't
want
them
coming
for
the
free
dwell,
Nura
bilities,
which
we
had
and
we
had
no
way
to
sort
of
segregate
them.
We
initially
used
just
github
issues
in
a
private
mailing
list
and
we're
gonna
solve
that,
basically,
through
a
new
new
new
process
and.
A
We
we
have
to,
I
want
developers
to
be
able
to
contribute,
so
I've
been
asked
a
lot
of
times.
I
don't
know
much
about
security,
but
I
want
to
be
involved
in
node
security
project.
I
want
to
learn
so
I
think
I've
figured
out
a
really
interesting
way
to
sort
of
combine
the
two
who
here
it's
heard
of
note:
school
dot,
IO
few
hands.
Okay,
so
notes
cool.
That
IO
is
absolutely
amazing
and
I
believe
the
artwork
there
sub
stack
and
Brian
Brennan
was
part
of
it.
A
I
don't
know
who
all's
involved,
but
that
started
because
of
streamed
adventure
that
Max
and
sub
Sacro.
So
if
you
don't
know
about
streams,
adventure
also
and
I
think
you
know,
rod
did
a
bunch
for
that
as
well.
It's
a
way
of
doing
like
exercises,
you
get
an
explanation
of
exercise
and
then
you
got
to
write
some
code
and
get
it
verified.
A
So
that's
what
we're
going
to
do
we're
going
to
use
that
process
to
sort
of
connect
developers
with
an
education
about
the
vulnerability
and
then
they
can
validate
it,
and
you
can
just
pop
stuff
off
of
a
stack.
You
can
see
only
the
things
that
you
have
worked
on.
You
can't
see
all
the
rest
of
the
things
and
we
can
keep
track
of
who's
done
what
and
it
segregates
the
work
it
educates
developers
and
it
sort
of
meets
all
of
our
goals.
A
So
here
is
our
new
process,
basically
with
lots
of
little
icons,
so
people
basically
feed
the
machine
right.
We've
got
a
core
security
team
that
is
coming
up
with
new
things
or
people
report
them
publicly.
That's
another
thing
that
I
really
want
to
get
supported
is
I
want
to
get.
If
you
have
a
security
flaw
on
a
library
report,
it
it
does,
it
does
good
for
the
community.
A
lot
of
people
hide
those
things
and
just
fix
it
silently
and
push
a
new
version
out,
and
it's
it's
gone.
Let's
get
that
Intel
lets.
A
You
actually
get
some
good
data
about
about.
What's
going
on
and
our
modules
and
the
type
of
quality
of
code
that
we're
building,
so
we
feed
the
Machine
one
way
we
do
that
by
searching.
We've
got
full
text
index,
that
of
all
of
the
source
code
from
NPM.
So,
whenever
new
modules
push
it
gets
updated,
we
can
do
quick
searches
across
who's
using
child
process
exec
in
a
in
a
really
horrible
way,
and
we
can.
We
can
look
across
and
say.
Is
this
a
good
pattern?
Is
this?
A
Is
this
going
to
have
a
lots
of
false
positives?
Of
course
we
can
tune
those
things.
We
that's
the
job
system
in
the
whole
cog
thing,
it's
a
Redis
based
job
system.
On
the
note,
security,
github,
page,
github,
calm,
slash,
note,
security,
there's
three
repositories
that
are
very
empty
right
now,
because
I'm,
basically
moving
all
the
code
that
was
private
in
closed
source,
because
basically
I
did
it
wrong
and
it's
gonna
be
open
and
in
there
and
anybody
contributes
and
pull
requests,
etc.
That
job
system
is
up
there
very
simple,
plug-in
structure.
A
You
can
do
basically
do
anything
if
you
want
to
do
a
grep,
you're,
just
doing
a
grep
for
a
string
which
might
be
enough.
You
can
do
that.
We've
got,
creates
a
new
ticket,
basically
tickets
in
the
system.
It's
just
a
web
app
people
pop
tickets,
so
any
developer
can
pop
a
ticket
off.
That
stack.
Basically
look.
A
See
then
we
communicate
with
the
developers.
This
turns
out
to
be
a
really
really
really
hard
part
about
with
the
project.
Is
that
every
single
project
in
here
wants
things
done
a
little
bit
differently
and
communicated
a
little
bit
differently
and
they
use
different
ways
of
working
with
each
other.
More
on
that,
in
a
little
bit
we
fixed
the
things
full
do
pull
requests.
We
don't
ever
publish
an
advisory,
which
is
the
last
step.
We
don't
ever
do
that
without
having
a
fix
available.
A
So
that's
that's
one
thing
is:
is
we're
we're
very
focused
on
having
positive
interaction
with
developers,
and
we
don't
want
to
basically
screw
anybody
over
that's
sort
of
one
of
our
core
values.
This
slides
not
supposed
to
be
in
there
so
anyway,
if
the
no.
Even
if
the
knows
security
project
fails
to
sustain
we're,
gonna
end
up
fixing
a
few
things,
even
if
it
doesn't
sort
of
produce
a
resource
that
helps
you
in
your
everyday
life.
In
one
of
your
modules,
it
can
still
be
of
use.
A
You
can
take
that
lesson
of
just
sort
of
increment
and
do
better
and
realize
that
that
even
these,
you
know
random
projects
out
there.
That
people
really
think
are
a
good
idea
and
I've
got
a
lot
of
compliments
a
lot
of
followers
on
the
note
security
project.
We
still
do
things
wrong
and
we're
okay,
admitting
that
and
we're
just
getting
committing
to
better.
You
can
take
that
away.
Process
habits
are
not
like
code
are
not
immutable
like
change.
We
can
simply
do
better.
A
The
reason
why
a
security
education
sort
of
fails
to
be
disseminated
to
developers
is
because
a
lot
of
security
people
are
not
developers,
and
so
we
write
at
security
people.
We
write
documentation
and
tools
and
things
that
are
designed
for
us,
not
developers,
and
so
what
happens
is
is
that
sucks
for
developers?
What
we
need
to
do
is
make
that
better.
A
So
what
I
really
really
want
people
to
do
is
go
read
some
of
the
resources
out
there
that
are
better
for
developers
such
as
the
OAuth
top
10,
no
loss,
OWA,
SP
org
and
tell
the
node
Security
Project
what
sucks
about
it?
What
what
do
you
not
get
out
of
that
resource
that
we
can
fix
and
publish
and
fix,
fix
those
things,
and
we
can
we
can
publish
new
documentation
and
make
it
better.
A
A
So
a
little
group
exercise
I
want
everybody
to
take
out
their
phones
take
out
Twitter
and
we're
gonna
tweet
at
github,
because
this
would
be
great
to
get
like
300
tweets
at
github.
Basically,
I
wish
github
had
private
issues
and
pull
requests
for
open
source
projects
to
improve
responsible
disclosure.
First
issues
we
don't
have
to
have
random
email
addresses
where
things
go
to
or
some
out-of-band
channel,
we're
using
github
and
we're
using
issues
and
were
using
issue
trackers.
We
need
the
ability.
We
need
the
tools
to
support
the
processes
that
we're
doing.
A
A
A
Okay,
well,
you
guys
can
all
be
my
proxies
and
do
it
for
me:
cuz,
that's
not
working!
So
do
that
that'll
be
awesome.
If
we
can
get
that
cool
notes,
cool
dot,
IO,
amazing,
amazing,
amazing
project
go
out
there
learn
from
it
contribute
back
to
it.
I
would
love
for
anything.
You
learn
from
a
wasp
or
anything.
You
know,
security
knowledge
go
build
a
workshop.
A
A
The
last
thing
is
until
we
get
the
thing
from
github
or
get
better
tools
there,
we
can
sort
of
augment
we
can.
We
can
put
our
security
process
for
our
projects
in
a
place
security
about
MD.
You
can
put
how
you
want
to
be
communicated
about
your
security
vulnerabilities
that
might
simply
be
an
email
address.
It
might
be
a
detailed
process.
Much
like
the
amber
Jas
project
has.
If
you
want
a
good
example
check
out
the
amber
Jas
security
disclosure
process,
it's
it's!
A
It's
a
model
for
how
we
can
improve
things
to
do
that,
check
us
out
on
github.com,
slash,
node
security
and
and
help
I
am
a
developer
and
I'm
a
security
person
I'm
a
bad
developer.
I
write,
really
slow,
I
just
write
code
in
it
very
poorly,
so
I
need
help.
I
do
have
a
vision.
I'll
get
some
documents
out
there
for
what
kind
of
looking
for
a
bill
to
get
built,
but
I
know.
There's
amazing
people
here
that
could
contribute
very
quickly
much
faster
than
I
can
and
do
it
in
a
much
better
way.