February 15, 2017

Auditing Your NodeJS Packages for Security Vulns


I know, another post so soon after the previous. I am just as shocked as you are. But all nonsense aside, let's talk about some fun tools to audit the packages in a NodeJS application in search of publicly known security vulnerabilities.

I was recently tasked with auditing a NodeJS application and like all technologies I'm not terribly comfortable with, I immediately look for the low-hanging fruit to start. I knew of npm (Node Package Manager), but I wasn't really sure how NodeJS apps laid out their required packages. Needless to say, I learned quickly that packages are typically stored in a package.json / npm-shrinkwrap.json in the root of the project directory.

But I ran into a snag. The package.json file was huge for this project. This led to the inevitable question of how can I possibly review every single one of these packages?? And kids, this is where automation is your friend. I did some searching, and I found two pretty solid tools that will automatically scan your NodeJS packages and search for packages with known vulnerabilities. It's so simple, one of them includes steps on how to integrate with your CI system (if desired).

Enter the tools...

For the purpose of this post, I will be covering two separate tools used to audit NodeJS packages.
  • snyk (https://snyk.io/) - Snyk requires that you install all packages for the project, and then it will scan them looking for known CVEs and advisories using their curated database
  • nsp (https://nodesecurity.io/) - NSP scans your project's package.json file and searches for known vulnerabilities using their curated database
In my tests, Snyk seemed to be more accurate likely because I was forced to install the packages which pulls down everything needed (including dependencies of dependencies), but NSP runs much quicker as you don't need to install all the dependencies for a project first.

Using Node Security Platform (nsp)



Using Snyk


Conclusions

In my opinion, the output of Snyk seems to work better for my situations. I like the Snyk vulnerability database links as they always seem to contain very helpful information in all the cases I've used it. Also, I hope you like the Asciinema casts. I've seen them around before, but I never thought to use them until now. 

Feel free to share your thoughts or questions in the comments below.

1 comment:

The S3 Bucket Problem - The Latest Vuln to Become Popular

Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...