Security best practices - kicking off about nodebestpractices HOT 77 CLOSED

@lirantal @BrunoScheufler @js-kyle

Only now I found the time to sort the list and adjust the titles. It's done, let me know what you think.

Let's all pick items to write about?

Please read the writing-guidelines to keep a consistent content style.

2 more thoughts:

1. Prefer the reading experience over the tech details. Make it pleasant to read: provide examples, anecdotes, diagrams, etc. Use short sentences and clear ideas. Drop details that are hard to explain
2. I would avoid specifying non-famous NPM packages on the tldr part to avoid subjective/flammable/debatable content in the opening part (not including Express, passport, etc).

from nodebestpractices.

I wish I could further help guys but looks like it's going to be a bit busy in the next couple of months.
I won't be able to pick up items to review but if there are specific items/questions that need addressing I'd love to help.

from nodebestpractices.

Sounds great, thanks for reaching out @i0natan. I'll probably get around to it tomorrow evening.

@BrunoScheufler looking forward to working together on this.

from nodebestpractices.

Cool, I will pick some once you've sorted out the priority ordering

from nodebestpractices.

Hey all, I've checked in a PR to get some feedback early on, #153

This is for 6.7. Constantly and automatically inspect for vulnerable dependencies

from nodebestpractices.

@lirantal @js-kyle @BrunoScheufler

Thoughts for new best practices:

• DNS rebinding (because node processes are often accessed with http while some external balancer is doing the SSL termination): https://github.com/brannondorsey/host-validation
• Multifactor authentication with passport
• Benchmark with penetration tools:
  https://portswigger.net/burp

from nodebestpractices.

I think they should be added to both in the order you listed them (i.e: xss to 6.9 and pp to 6.10)

from nodebestpractices.

@i0natan thanks for considering it. I find almost everything listed here important. If you want me to list some, here are a few that I think should be included
-1. Server Side JS Injection
-2.SQL and NoSQL Injection
-3.Log Injection
-4.Session Management
-4.1 Session timeout and protecting cookies in transit
-4.2 Session hijacking
-5.XSS Attacks
-6.Security Misconfiguration
-7.Sensitive Data Exposure
-8.Cross-Site Request Forgery (CSRF)
-9.Unvalidated Redirects and Forwards

from nodebestpractices.

From what I can tell, this is what we have remaining:

Currently being worked on:
6.9. Use middleware that sanitizes input and output - @i0natan
6.18. Run unsafe code in a sandbox - @i0natan

6.3 Extract secrets from config files or use NPM package that encrypts them - @js-kyle
6.12. Avoid using middlewares that crash the process - @js-kyle

6.4. Prevent SQL/noSQL injection with ORM/ODM or any other DAL packages - @BrunoScheufler
6.19. Take extra care when working with child processes - @BrunoScheufler

from nodebestpractices.

@js-kyle @BrunoScheufler Just an heads-up - we've some holiday here, I'll be back on Monday and write my next 2 in a week.

2 thoughts:

1. Can we check if we cover all WASP 10 top threats? if yes, we may add some badge to the start of the security section
2. Who's handling the generic list? I've an Excel list with 50 security best practices, we might copy from there many items. Then we can publish the article as "23 Node.js security practices (+20 generic security advice)

from nodebestpractices.

@i0natan awesome stuff! I'll have a look at it tomorrow and will also select some points to work on the TL;DRs and content, if nobody has picked their bullet points until then 👍

from nodebestpractices.

@BrunoScheufler let's take the discussion about the actual content/title in #33 and leave this thread for high-level status/roadmap plan.

from nodebestpractices.

@lirantal got it. I think it looks good and serve our purposes well

from nodebestpractices.

@lirantal

I'm gonna be somewhat busy for the near-term

Cool & good luck, I suggest whenever you have that short time in the next week, focus on A&B (finalizing the bullets list, we need 2-3 more and deciding on the final resources). Try to think what Node-related items we can add to reach 21 items + what are the canocial resources that should drive our writing

Afterward, we can all take the writing very slowly. Maybe even Bruno & I can write most of it

from nodebestpractices.

don't worry, I'm not going anywhere, just less active for a short bit :-)
will focus on A&B as suggested 👍

thanks guys, this is really progressing well!

from nodebestpractices.

I have an idea to contribute to this section - what is the best way to go about this? PR?

from nodebestpractices.

@lirantal Awesome, thanks

from nodebestpractices.

Super!
I think we have some contents for the security headers text already in-place, but still maybe worth going through it and closing it.

from nodebestpractices.

@lirantal oppss, missed your message, I suggest you pick any topic/s, I'll do some other, just let me know which are your preferred?

@lirantal @BrunoScheufler @js-kyle - let's each write 2-3 items and then will get in sync and plan the rest? can we do it by Match 25th?

from nodebestpractices.

Thanks for the comment @BrunoScheufler, and @i0natan your comments make sense too, so i'll address those ones before this one gets moved along. Cheers!

from nodebestpractices.

I've addressed those comments, and added a new PR. Keen to merge that to the working branch once that has had another look over it 👍

from nodebestpractices.

I'm starting on Thursday and will take any bullet that you didn't. Just plz share here which bullets you handle to avoid duplications @js-kyle @BrunoScheufler

from nodebestpractices.

slight delay on my part but absolutely plan to start writing in the next few days

from nodebestpractices.

@js-kyle @BrunoScheufler

I'm doing 6.10 (validation) and 6.13 (avoid root) now. Noneone is writing this now, right?

I suggest everyone aim to pick some bullet will notify in advance

from nodebestpractices.

Happy to take on a couple more bullets. I'll post here once I decide on which one

from nodebestpractices.

Both sound good to me!

from nodebestpractices.

Beginning of July seems like a good target to me - I'm still working on my two remaining bullets.

As for the Medium article, that sounds good, I am guessing that will be paired with Reddit and Twitter posts?

from nodebestpractices.

@js-kyle Sure, Reddit + Twitter + NodeWeekly + Node official Twitter + FB groups and more

from nodebestpractices.

@i0natan Cool, I have added that into my current working branch which includes the secret management work (PR #178 ), feel free to take a look.

I just need to address the comments on that one about using a vault, then I think that is all my points addresses, unless we have more things to tidy on this section :)

from nodebestpractices.

@i0natan just created one as js_kyle

from nodebestpractices.

@lirantal @BrunoScheufler

I think we're almost done with A, right?

How about adding 2-3 more bullets (marketing-wise, 20+ is important), we can scratch our heads to find few more, and in the interim collaborate on B. Then in few days, we can be ready for phase C (writing the content). What do you think?

from nodebestpractices.

@i0natan it seems we slightly mixed up some of the points (in a good way) but nonetheless it's getting closer to what we expect from the section, I think the next step might be revising and adding content where needed and also searching resources to share with the topics.

from nodebestpractices.

Great progress indeed!

@BrunoScheufler maybe you want to handle B with some research?
@i0natan regarding C and the content, it's a bit tricky for me specifically since most if it is in the book, but of course the information itself is out there and not a secret. How about it if I re-use some level of contents and examples from the book and would link to it in the different sections?

from nodebestpractices.

@lirantal I'd be happy to do the research and gather some resources!

from nodebestpractices.

@BrunoScheufler let's have a thread/issue with security resources, then we can pick the Top X

@lirantal my only concern is keeping the same formatting and principles, can we try 1 bullet to see how it looks like? note that the pages have a format for quoting resources and it includes a link to the source

anyway, will put a bold link to your book + I meant to write myself more than few bullets (if needed)

https://github.com/i0natan/nodebestpractices/blob/master/writing-guidelines.md

from nodebestpractices.

@i0natan I'll open an issue for the resources myself later, will look for resources specifically matching our bullets and maybe some general resources for web application security

from nodebestpractices.

@i0natan formatting is ok, I meant about content being same/very similar to content from the book. See this: #137

from nodebestpractices.

I'm gonna be somewhat busy for the near-term (couple of weeks) so will try to be responsive as possible but probably won't be able to invest a lot of work into the documentation of things, or will be delayed until weekends and such. I think we're good on the overall bullet list, and the read more sections can be based off of my book if we're good with that or other resources that you guys come up with.

@BrunoScheufler I dropped a link to a free copy of the book in your e-mail inbox so you can use that to update the relevant sections if you wish, or just read it before bed, good stuff there 😄

from nodebestpractices.

@lirantal oh that's why I got the book 😄 thanks for your great work over all, I'll look into reading the book to find additional content options! 👍

from nodebestpractices.

Oh gotcha! Apologies for not thinking about it sooner :-)

from nodebestpractices.

@i0natan we can share the state of the section here, think of additional points and content together and work on it!

from nodebestpractices.

@js-kyle just for the repo, checkout locally the security-best-practices branch and send a PR to merge to this repo of the same branch

from nodebestpractices.

@lirantal @BrunoScheufler @js-kyle

Just a heads-up: We now have a resources list and finalized our bullets list. I want to re-arrange the list (priority) and slightly adjust the titles to be more node-related. I'll do that by Thursday.

Then, we can start writing the inner pages based on the resources. You may start thinking which topics you wanna right. We can assign 2-3 weeks for the writing phase so no rush and you can pick how many you like (1-10)

from nodebestpractices.

Hey all

I've got some spare time now so I am keen to get started on a couple of these - not sure if the priority order is set yet, however, first up I am keen to take:

• Hide 'X-Powered-By' Express/Koa/etc headers
• Protect your application endpoints using security-related headers
• Limit concurrent requests using rate limiting balancer or a middleware

After that I'll check in on how we're going and grab some more depending on progress. Let me know if there are any problem with this!

from nodebestpractices.

@js-kyle awesome, but I have already worked on the secure headers point, although you might find something to add! 😄

from nodebestpractices.

Based on those changes, I'm keen to take the below first up:

6.2. Limit concurrent requests using a balancer or a middleware
6.7. Constantly and automatlically inspect for vulnerable dependencies
6.20. Hide error details from client (e.g. default Express behaviour)

from nodebestpractices.

@js-kyle cool. you may share the first for feedback before writing the rest. your call.

I'll wait for @lirantal and @BrunoScheufler to pick few then I'll take the rest (will need probably 3 weeks to accomplish my part)

from nodebestpractices.

If it's fine, I'd keep and update 6.5 (Common security best practices), 6.6 (Secure headers) and in addition to those pick 6.14 (Limit request payload size). Maybe I'll select another one too, but that'll be the first batch for me!

from nodebestpractices.

I'm good with any topic. So which titles does it leave me with?

from nodebestpractices.

@i0natan that should work out. Will report back when I've got progress up 👍

from nodebestpractices.

@js-kyle will have a look at it!

from nodebestpractices.

Which bullets have you guys self assigned? I'm interested to look at 6.11 if no-one else has started this

from nodebestpractices.

@js-kyle I've got 6.5, 6.6 and 6.14 assigned

from nodebestpractices.

Will take up the points and start working as of tomorrow and the next days.

from nodebestpractices.

Going to pick up 6.11 & 6.17 today

from nodebestpractices.

Submitted another PR for a review - 6.11, 6.15, 6.17.

6.17 is a bit light, keen to add a link to another blog but couldn't find any good articles for that bullet

from nodebestpractices.

@js-kyle awesome!

I'll be picking up work with my points again today if everything works out, due to being ill the last few days.

from nodebestpractices.

Really interested to see Burp Suite!

Agree on DNS rebinding, unless we decide to add it as a smaller clause to bullet 5.3, but it could also warrant it's own article as part of this section

from nodebestpractices.

Yeah also not sure if DNS rebinding worth its own bullet.

Hacking tool benchmarks (Burp Suite) seems interesting enough

from nodebestpractices.

Going to pick up 6.8 in the next couple of days.

We're making some good progress here!

from nodebestpractices.

@js-kyle absolutely!

@lirantal do u suggest adding warning about "vulnerabilities like XSS, Parameter Pollutions" to 6.9 (sanitization) or 6.10 (validation)?

from nodebestpractices.

@js-kyle @BrunoScheufler

sharing heads-up - I blocked the time this week to write 6.13 and next week 6.18

from nodebestpractices.

@i0natan awesome, I'll look into formulating some guidelines for our code sections, not too strict but a basic direction we should head to: modern, readable code.

from nodebestpractices.

Hi, I found this repo and this tutorial. I would like you to consider them for this section.

from nodebestpractices.

@talentedandrew welcome and thank you. can u help us skim through the content and suggest specific bullets/ideas or where exactly where you position this tool?

from nodebestpractices.

@js-kyle @BrunoScheufler My next bullet is 6.18. Which items u plan to cover soon? happen to know how many left?

from nodebestpractices.

@i0natan I'd need to have an overview on who is currently working on which bullet. So you're choosing 6.18, I don't think any other bullet is currently being worked on, is there?

from nodebestpractices.

@talentedandrew absolutely looks like a resource worth quoting from. Do you want to suggest/PR practically new bullet or quotes to existing security bullets?

@js-kyle @BrunoScheufler I suggest you just pick 2 items, I'd declare 2 items and then we can do the math - how many left? :)

from nodebestpractices.

First of all, thanks @js-kyle for creating the current state overview!

@i0natan
I might as well work on 6.4 and/or 6.19!

from nodebestpractices.

@js-kyle great list. I'll pick 6.9 as well

from nodebestpractices.

Awesome, I updated the above list for current state, so all are now assigned.

Aiming to submit mine for feedback in the next few days

from nodebestpractices.

@js-kyle @BrunoScheufler Hello from the middle east. Hope everything is cool.

Just finished the 'sandbox' bullet. What's the status on your end?

I suggest releasing this list in the beginning of July, does this work for you? what do you think about releasing this in medium.com, only the title+otherwise, links for "Read more" refers to the repo here. This way, it looks like a brand new post and not as an update to an existing repo (might gain more traction)

from nodebestpractices.

@BrunoScheufler Can you handle your items by the beginning of July or you want to forward some?

from nodebestpractices.

@i0natan I'll work on these items this week, I think I'll get done by then!

from nodebestpractices.

I'm starting on 6.12. Avoid using middlewares that crash the process

I might need some advice on direction for this one - I was going to mention validating/parsing input here but that is already covered as part of 6.10. Validate the incoming JSON - what was intended for this one?

Lastly, are there any objections to me removing bullet 4.4, as this is more appropriately covered with new bullet number 6.7 as part of the new security section? We could possibly do that as the last thing before merging otherwise all our notes here will get out of sync with losing a bullet number

from nodebestpractices.

@js-kyle Howdy!

6.12 seems indeed redundent, maybe you can convert it into "Prevent brute forcing your single threaded login routes" which is about limiting the number of allowed login/forgot password per username

See #186

About 4.4 - Not sure we should... Are the parts mutually exclusive or each is stand alone? what if someone is reading our testing practices only (e.g. setting his CI now) but don't have time to read the security section? Maybe link from item to item? not sure

from nodebestpractices.

@js-kyle What's your telegram uname? I'd like to open a chat for collaborative planning of the security finalization

from nodebestpractices.