Enterprise Node
Enterprise NodeSecuring Your environment
About me
Tech Lead @ MLS
Medium: @kurtiskempleTwitter: @kurtiskempleGitHub: @kkemple
Repo for this webinarkkemple/awesome-enterprise-web-service
Why is Securing Your Environment Important?
BenefitsProtects your company from potential threatsImproves confidence in code and systemsHelps you meet legal/organizational regulations
Securing Your Runtime
Node LTS VersionsOfficial Node.js long term support versionsOffers a solid foundation to build apps on (No breaking changes)Provides a maintenance window where critical bug fixes and security fixes are only permitted commits
N | Solid - Enterprise RuntimeEnables deep performance insights (one click flame graphs)CLI enabled for easy CI/CD integration and automatic controlAdvanced console for analyzing your entire Node.js infrastructureAlerting through threshold monitoring
N | Solid Overview
N | Solid Performance Flame Graph
ContainerizationBoxes up your application and all its dependenciesProvides layer of abstraction from serverProvides isolation from other applicationsImages can be checked for vulnerabilities
quay.io
coreos/Clair
Aqua Peekr
Securing Your Dependencies
Whitelisting / blacklisting modulesBlacklisting: Allow use of any public module except the ones on the listWhitelisting: Allow use of only the public modules on the listGreat for meeting audit and legal obligationsRequires a private registry (NPM Enterprise, Sinopia, etc)
Node Security ProjectKeeps a database of all known node module vulnerabilitiesOffers a CLI tool for easy CI/CD integrationMaintained by the community and the best Node security experts in the industry (Adam Baldwin)
NPM Shrinkwrap & ShrinkpackPrevent dependency regression (unwanted dependency updates)Localize tarballs, no need to call to NPM each time you need the module, this greatly speeds up builds as well
Shrinkpack
Securing your applications
AuthenticationAuthentication: verify identity of user/clientShould support JWT header and Basic AuthJWT: JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties
JWT.io
auth.io/blog
AuthorizationAuthorization: verify permission of action by user/clientUses Scopes to define permissionsRoles define a group of ScopesScopes are set on endpoints for fine-grained control
Data ValidationPrevents dirty data from entering your systemAllows you to define schemas that your documentation engines can readProvides in code documentation on valid endpoint parameters
Swagger Docs from Joi Schemas
HTTPS ALL THE THINGSEncrypts data sent over the internetPrevents packet sniffing and man in the middle attacksGenerally terminated at CDN layer (AWS Cloudfront, Cloudflare, Fastly, etc)HTTPS internally provides better security but adds latency to requests
Encrypting DataYou should ALWAYS encrypt sensitive information (passwords, SSNs, credit card numbers, etc)Do some research on encryption best practicesMake sure your encryption keys are secret
Q&a
Enterprise Node.js - Code Qualityhttps://www.crowdcast.io/e/enterprise-node-1Enterprise Node.js - Code Discoveryhttps://www.crowdcast.io/e/enterprise-node-2Enterprise Node.js - Securing Your Environmenthttps://www.crowdcast.io/e/enterprise-node-3Enterprise Node.js - Deploying with Dockerhttps://www.crowdcast.io/e/enterprise-node-431Enterprise Node.js
JavaScript is replacing Java, Ruby, and .NET as the technology of choice for companies that want to build enterprise software faster, and with fewer resources. Learn about enterprise JavaScript applications at every level of the stack. As well as how to secure, integrate, test, store, monitor, and deploy them.OReilly Software Architecture Conference
Architecting For Enterprise in Node.js