February 15, 2017

Auditing Your NodeJS Packages for Security Vulns


I know, another post so soon after the previous. I am just as shocked as you are. But all nonsense aside, let's talk about some fun tools to audit the packages in a NodeJS application in search of publicly known security vulnerabilities.

I was recently tasked with auditing a NodeJS application and like all technologies I'm not terribly comfortable with, I immediately look for the low-hanging fruit to start. I knew of npm (Node Package Manager), but I wasn't really sure how NodeJS apps laid out their required packages. Needless to say, I learned quickly that packages are typically stored in a package.json / npm-shrinkwrap.json in the root of the project directory.

But I ran into a snag. The package.json file was huge for this project. This led to the inevitable question of how can I possibly review every single one of these packages?? And kids, this is where automation is your friend. I did some searching, and I found two pretty solid tools that will automatically scan your NodeJS packages and search for packages with known vulnerabilities. It's so simple, one of them includes steps on how to integrate with your CI system (if desired).

Enter the tools...

For the purpose of this post, I will be covering two separate tools used to audit NodeJS packages.
  • snyk (https://snyk.io/) - Snyk requires that you install all packages for the project, and then it will scan them looking for known CVEs and advisories using their curated database
  • nsp (https://nodesecurity.io/) - NSP scans your project's package.json file and searches for known vulnerabilities using their curated database
In my tests, Snyk seemed to be more accurate likely because I was forced to install the packages which pulls down everything needed (including dependencies of dependencies), but NSP runs much quicker as you don't need to install all the dependencies for a project first.

Using Node Security Platform (nsp)



Using Snyk


Conclusions

In my opinion, the output of Snyk seems to work better for my situations. I like the Snyk vulnerability database links as they always seem to contain very helpful information in all the cases I've used it. Also, I hope you like the Asciinema casts. I've seen them around before, but I never thought to use them until now. 

Feel free to share your thoughts or questions in the comments below.

3 comments:

  1. This is normally carried out with ejector pins in the tool that are coupled via an ejector plate to a hydraulic actuator, or by an air operated Travel Accessories ejector valve on the face of the mould tool. The moulding could free fall into a collection box or onto a switch conveyer, or may be be} removed by an automated robotic. In semi-automatic mode, the operator could intervene at this point in the cycle to take away the moulding manually. Once the moulding is evident from the mould tool, the complete moulding cycle may be repeated. The second kind of general clamping arrangement is known as the Toggle Lock. Liquified plastic is pushed via the nozzle of the barrel of the molding machine.

    ReplyDelete
  2. We additionally 우리카지노 partake in one of the best on line casino recreation suppliers to execute a topnotch platform for progressive video games and experiences on the on line casino. However, quantity of} in style online roulette gambling methods are employed assist you|that will help you|that can assist you} scale back the home edge, minimise losses, or maximise profits. Take a glance under to discover a respectable roulette technique to nicely with|swimsuit} you.

    ReplyDelete

The S3 Bucket Problem - The Latest Vuln to Become Popular

Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...