►
From YouTube: Introducing nodesecurity.io - Adam Baldwin @ NodePDX
Description
The node.js community is growing at an amazing rate. At the time of writing there was 27,757 modules publised on npm. Have you ever stopped to think just what you are putting into your project when you npm install somebody else's module? Do you trust that code? This is an insane project to find out the answer to that question.
This talk will introduce the nodesecurity.io project, it's goals, current results in hopes of inspiring involvement and receiving feedback directly from the node community!
Recorded: 2013-05-16
A
Awesome,
thank
you.
So
the
node
security
project
is
really
a
community
project
and
it
needs
a
community
behind
it,
and
so
I'm
gonna
need
your
help
right
now.
So
please
stand
up
really
really
need
your
help.
We
can't
do
this
without
you,
it's
a
community
thing.
So
when
I
say
node,
you
say
community
node
and
then
we're
gonna
do
another
piece
were
when
I
say:
no,
do
you
say
security?
So
it's
really
complex,
but
let's
see
what
we
can
do.
Okay,
all
right,
no
y-you,
guys,
okay,
no
seriously
crazy,
crazy,
let's
get
crazy!
This
is.
A
B
B
Dead
of
the
word
that
work
better,
okay,
whatever
all
right,
so,
let's
get
cracking
I'm
Adam
I
am
actually
Adam
Baldwin,
not
Adam
brault.
Who
was
the
imposter
Adam?
You
all
trusted
that
potentially
he
was
me
just
like
with
you
know:
node
modules,
you're,
trusting
them
in
your
codebase
right.
So
I
am
the
real
Adam.
You
can
find
me
on
Twitter
here
at
Adam,
underscore
Baldwin,
lift
security
and
note
security
as
well
as
on
github
as
evil
packet.
B
So
note
security.
This
whole
project
is
stemmed
around
kind
of
a
story
that
I
like
to
tell
about.
When
I
get
started
in
in
node,
I
got
started
in
node
security
when
we
started
at
and
yet
building
and
bang.
Basically
I
was
wondering
how
I
could
actually
compromised
our
service
right
and
so
I
started.
Thinking
about
it
and
you
know
we
wrote
tests
and
we
did
testing
and
all
that
stuff
that
you
normally
do
and
then
I
was
like
wait.
B
B
There's
a
lot
of
users
out
there
with
really
really
important
modules
that
get
a
lot
of
downloads
and
a
lot
of
use
that
were
that
I
could
have
just
logged
in
and
did
a
force
push
and,
and
that
would
have
been
bad.
But
that's
where
it
all
that's
where
it
all
sort
of
began,
then
it
moved
on
to
adding
CSRF
protection
to
the
NPM
website.
Cross-Site
request
forgery,
protection
in
which
I
did
something
a
bit
different
than
security.
Researchers
normally
do
instead
of
just
saying:
hey,
Isaac,
you've
got
a
problem
here,
go
fix
it
right.
B
I
submitted
a
pull
request
and
he
didn't
necessarily
like
my
implementation,
but
it
got
fixed
and
that
that's
kind
of
the
point-
that's
it'll,
be
kind
of
a
premise
to
what
I'm
going
off
of
here
so
note,
security
project
is
where
I
ended
up,
and
this
is
kind
of
the
idea
and
the
culmination
of
thoughts
is
all
right.
So
we've
got,
we've
got
all
these
modules.
We've
got
all
of
these
modules
out
there.
How
can
we
validate
the
security
of
them
and
I'll
be
honest
with
you,
the
node
security
projects,
basically
an
experiment.
B
It's
an
experiment
to
see
if
we,
the
node
security
community,
can
do
security
better
than
or
differently
and
better
than
any
other
community
out
there
better
than
the
Ruby
community
better
than
the
the
Python
community
and
and
the
reality
is,
is
I
love
the
node
community,
I
love
each
and
every
one
of
you
and
I
would
be
hard-pressed
to
try
this
experiment
in
any
other
community.
The
support
behind
this
in
just
the
first
couple
of
weeks
has
been
amazing.
B
B
To
have
that
kind
of
support
it
makes
me
want
to
continue
so
this
project
is
gonna
is
basically
bridging
to
communities
to
communities
that
don't
necessarily
play
nice
together,
security,
researchers
right,
we
don't
play
well
with
others,
we
just
say:
hey,
you
got
a
problem
in
your
code,
go
fix
it
and
we're
gonna,
publish
a
node
a
and
we're
happy,
and
we
do
her
a
little
dance
and
I
think
it's
fixed
and
we
move
on
to
the
next
project
right
and
the
development
development
community.
We
need.
B
Here's
some
major
contributors
just
off
the
off
the
start
that
are
really
contributing
from
the
base.
Adam
brought
Nathan
a
friend
near
Bear,
Michael
Rogers
do
huge
supporters
in
initial
contributors
of
the
project,
Neil
Poulos,
Curie,
structural,
luca
carretoni,
Stephen,
Revis
who's,
actually,
just
a
developer
he's
building
our
portal,
our
low
brault
and
the
Occupy
tarantino
just
to
give
them
some
credit,
because
that's
that's
who's
doing
this
I
can't
do
this
alone.
I
started
I
started
the
project.
You
know
we
start
with
auditing
every
module.
B
That's
the
first
goal
of
what
we're
doing
and
I
looked
at
it
and
I
said:
I
can't
keep
I
can't
keep
up
with
subs,
but
I
couldn't
keep
up
with
what
he's
putting
out
right
like
when
I
submitted.
This
talk,
there's
27,000
modules
and
there's
that
many
as
it's
probably
higher
than
that
now
right
as
of
just
a
few
minutes
ago,
I
can't
keep
up
with
that.
So
what
we're
doing
is
we're
gonna.
B
B
Because
if
you
look
at
silly
modules
that
you
may
not
think
are
worth
anything,
they
might
have
got
downloaded,
you
know
a
hundred
times
in
the
last
day
there
people
are
using
these
things
that
are
two
years
old
and
an
outdated
that
may
have
problems
in
them,
and
so
we
need
to
look
across
across
the
whole
thing.
But
how
are
we
going
to
do
that
right?
How
can
we
keep
up?
We
can't
just
go
module
the
module,
we're
gonna
run
things
in
basically
small
initiatives.
B
This
is
the
only
way
that
I
figure
and
I
love
feedback.
If
you
think
differently
on
how
we
can
actually
keep
up
we're
gonna
run
run
initiatives
where
we
say:
let's
look
at
this
particular
security
problem
across
the
entire
module
base,
so
we're
gonna.
Look
for
our
first
initiative
is
a
child
process.
Exec
right,
you
put
in
untrusted
user
input
into
job
prospect,
process
exec
and
what
happens
command
execution
right
so
put
that
in
the
wrong
in
the
wrong
situation
and
you've
got
you
have
a
problem.
B
You've
got
a
module.
That's
using
this
and
you're
just
Pat
you're,
happily
passing
input
to
this
module
and
it
just
takes
it
and
runs
it.
So,
instead
of
one
module
a
time,
we
cannot
keep
up
doing
all
of
the
things
on
each
module.
What
we're
going
to
do
is
basically
run
these
initiatives
and
version
them.
So
we
know
if
we've
gone
over,
all
the
module
base
and
you'll
be
able
to
look
up
each
individual
modules
and
you'll
be
able
to
just
say
what
has
the
project
looked
at
for
this
particular
module?
What
are
the?
B
What
are
the
things
we'll
have
an
explanation
for
you
know
why
it's
a
problem
or
whatever?
Is
it
clean?
You
know
to
refine
something,
and
you
know,
hopefully
it
gets
fixed
and
you
can
you
you.
The
developer
have
have
that
information,
then
at
your
X
you're
sort
of
disposal.
So
after
we've
audited
all
the
things
right.
The
next
step
is
to
fix
the
broken
things
right.
Most,
security
projects
and
security.
B
Researchers
don't
get
to
this
point
because
we
don't
care,
we've
got
our
high
from
actually
finding
the
vulnerability
and
pointing
it
out,
and
then
we're
done.
You'll
fix
your
problem
and
I'm
moving
out
of
the
next
thing
as
I
mentioned,
and
so
we're
gonna
try
to
do
this
a
little
bit
differently
than
in
the
past,
and
this
is
what's
going
to
hopefully
set
us
apart
from
from
other
projects
right
so
standard
things,
we're
gonna
report
the
issues
we
find.
B
You
know,
we've
gotten
some
pushback
very,
very
little
pushback
on
this.
You
know
just
sort
of
adding
issues
to
repositories
and
make
a
making
them
public
right.
Some
excuse
me.
Some
things
are
important
enough-
that
we
should
contact
users
privately
right,
but
it'll
oftentimes
emails
will
bounce
or
emails
aren't
updated
on
repositories
or
those
modules
that
don't
have
repositories
and
there's
no
email
address
and
I
have
no
idea
how
the
hell
to
get
it
a
hold
of
people.
What
do
we
do
that
right?
B
So
we're
trying
to
do
the
best
we
can
to
manage
that
process.
We're
gonna
piss
a
few
people
off,
but
in
the
end
we're
gonna
get
things
fixed.
So
you
know
we
have
no
ill
intent
to
just
put
you
know,
put
people
in
harm's
away,
we're
gonna,
send
pull
requests
like
I
said.
There's
two
halves
of
this:
finding
problems
and
fixing
them
the
the
projects
that
don't
have
a
maintainer
that
can
maintain
them
anymore,
that
are
two
years
old
and
we're
going
to
try.
B
We've
had
a
couple
instances
where
we've
had
pull
requests
is
just
accepted
where
they've
ignored
the
issue
for
a
number
of,
so
it's
just
like
well,
yeah
I'll,
just
merge
your
pull,
request,
cool
and,
and
that's
got
its
own
problem.
You
know
just
trust
in
haircut
or
whatever,
but
it's
worked
well
so
far
people
have
been
it.
B
People
have
been
welcoming
of
the
tour
requests
versus
versus
just
you
know,
pointing
and
laughing
so
here's
an
example
of
the
kind
of
communication
that
we're
going
to
encounter
the
kind
of
things
that
we're
going
to
end
up
with
and
there's
actually
a
lot
of
positive.
That
comes
out
of
this.
This
particular
thing:
it's
it's
Hugh
bot
scripts
is
the
module
and
there's
a
lot
more
communication
that
went
on
other
than
this.
B
This
is
what
I'm
going
to
talk
about,
though
so
our
researcher,
if
you
can't
read
that
Neal
Poole
I,
submitted
I,
submitted
an
issue
that
said:
hey:
here's
command,
execution
and
Hugh
bought
in
the
email
script
on
Hugh
bot
view
if
you
enable
it
and
you
put
the
right
parameters
in
it'll,
execute
script
so
at
midnight.
This
issue
just
got
closed.
No
comment
closed.
B
Okay!
What
you
know
all
right
so
Neil
says
I
think
you
may
have
closed
the
wrong
issue.
Write
the
code
still
vulnerable.
We
got
a
response
back
that
said,
I
closed
the
correct
issue:
Hugh
bot
is
meant
to
be
run
a
trusted
environment.
If
you
don't
trust
the
people,
you'll
access,
Hugh
bot,
I,
think
you
should
stop
allowing
them
access
to
you.
But
that's
you
know,
that's
a
valid
point.
B
You
know
in
Neil's.
Sort
of
response
was,
you
know,
can
appreciate
that
you
know
there's
nothing
that
says
that
Hugh
bot
has
to
be
run
in
a
trusted
environment.
It's
open
source
people
are
gonna,
do
crazy
stuff
with
it.
That's
just
the
sort
of
the
way
it
is.
If
you
notice
the
the
tone
of
these
responses.
They're
they're
not
attacking,
like
a
lot
of
you,
know
typical
security
rebuttals,
like
you,
don't
appreciate
what
I'm
doing
so.
I'm
just
gonna
get
angry
and
you
know
so
we're
trying
to
be.
Very
you
know,
professional,
explaining
and
whatever.
B
The
second
thing
is
that,
even
if
you
guarantee
that
it
did
exist,
if
you,
if
you
give
somebody
acts
as
a
human,
that
doesn't
mean
you
also
give
them
access
to
executing
code
on
your
server
right
like
as
that
particular
Hugh
bot
user.
So
if
that's
the
case,
you
should
make
a
Hugh
bot
plug-in
and
execute
script
and
give
them
access
to
that.
So
and
then
he
says.
Basically,
he
said
you
know
it's
fairly
straightforward.
Would
you
reconsider
accepting
a
pull
request
and
you
know
sure
enough
floor
request
sent
merged
done
and
it
wasn't.
B
It
wasn't
even
a
problem
anymore,
push
fixed!
So,
there's
a
lot
of
things
that
Neal
did
right
here:
the
tone
of
his
responses,
the
fact
that
he
was
persistent,
the
fact
that
he
didn't
get
upset
I
mean
this
is
this-
is
the
kind
of
positive
interaction
that
we
want
with
developers
and
it's
gonna
be
a
fighting
battle.
So
final
thing
is
to
publish
results.
This
is
actually
sort
of
not
just
publishing
the
issues
on
repositories
publicly
or
we've.
There's
been
some
people
that
have
mentioned
publicly.
We
published
results.
B
Aren't
we
creating
more
of
a
problem
than
then
we're
fixing?
And
you
know
in
some
cases
you
know
it's,
it's
debatable,
but
we're
really
trying
to
put
this
information
in
the
hands
of
developers.
So
you
know
what
modules
and
codes
of
your
code
that
you're
using
you
should
be
already
aware
of
that.
But
if
you're
not
you
can
easily
tell
what
we've
looked
at
and
if
it's
got
these
certain
classes
of
vulnerabilities.
B
So
what
we're
going
to
do
is
we're
actually
publishing
them
out
on
the
portal
node
security
I/o
site.
Please
abuse
it
and
tell
us
all
the
problems
that
you
find
it's
still
very,
very,
very
fresh.
These
are
the
first
few
advisories
that
are
going
to
go
out
that
have
gotten
fixed
in
ascend
occation
bypass
in
tomato.
Basically,
if
you
it
was
looking
at
index
of
on
a
string,
even
though
it
expected
expected
an
array.
So
if
you
had
a
kicky
this
long,
you
just
pick
one
letter
and
you
you
get
access
to
the
API.
B
You
bought
scripts
command
execution
and
live
notify
you
max
you
sure.
We've
got
about
10
more
in
the
pipeline
from
this
particular
initiative
that
are
getting
fixed
and
we
should
be
wrapping
that
up
in
a
couple
of
weeks,
then
we'll
move
on
again.
This
is
very
caveman-like.
Initially,
you
know
if
you
go,
try
it
off.
If
you
go
off,
you
get
your
code
and
you
do
no
required
child
process.
Then
name
it
something
else,
and
then
you
know
try
to
hide
that
particular
that
particular
code
flow.
We're
not
gonna,
find
it
we're
using.
B
You,
know,
grep
and
bash,
and
and
we're
not
doing
things
elegantly
we're
hoping
to
grow
this
and
improve
it
over
time.
If
somebody
is
really
great
stack,
analysis
and-
and
you
know,
taint,
checking
and
stuff
like
that-
these
helped
me
because
I
don't
know
how
to
do
that.
Stuff,
I'm
I'm
learning,
but
you
know
we
need
help
so
how
to
contribute.
That's
last
write
how
to
contribute.
We've
got
information
on
in
note
security
IO,
which
basically
says
join
the
mailing
list.
B
The
node
auditor
or
the
node
security
auditors
list
is
its
private
I'm,
not
letting
any
just
anybody
in
there
we're
doing
some
vetting.
You
know
making
sure
that
you
know
lurkers
basically
aren't
too
desired,
mostly
because
we're
talking
about
some
of
these
things,
and
we
don't
want
you
just
camping
and
saying
well,
here's
something
I
can
take
advantage
of
and
now
going
off
on
your
own
and
trying
to
exploit
that
it's
a
hard
thing
to
manage.
We're
gonna
try
to
do
our
best
at
doing
that.