Who Bears the Burden of Ensuring Npm Module Security?
Node.js developers and enterprises may find themselves facing security issues as they increasingly work with third party and open source modules. Who is ultimately responsible for the security around these third-party modules? Is it the original module creator? Or, if a project is open source, and since these contributions are created out of sheer goodwill for the betterment of the community, some argue that the burden of ensuring their security falls upon those using them.
On this new episode of The New Stack Makers podcast, we discussed Node.js module security with Guy Podjarny, CEO of Snyk, which makes security tools for Node and Ruby; and Gergely Nemeth, CEO of the Trace debugging software provider for RisingStack. The interview was recorded at the 2016 Node.js Interactive conference.
“We need to get better as a community in drawing the line on what is the responsibility of the open source package author, versus the responsibility of the open source consumer. Today, open source consumers think of this as off the shelf software, and the open source authors are doing this in their spare time,” Podjarny said.
Snyk‘s toolkit is able to alert users to new vulnerabilities in both npm packages and Ruby gems, saving developers time in tracking down and responding to each one individually.
Nemeth agreed that today’s developers cannot be expected to handle all aspects of security. “The solution lies on the one hand with tools. So you need tooling providers, be it GitHub, Snyk, Trace, to make it easy. Security has to be sufficiently easy for you to do it. Today’s security is just too hard. For the community, we need to figure out a way to incentivize secure code.”
GoDaddy sponsored this podcast.
Feature image: Guy Podjarny (left) and Gergely Nemeth.