With the Node.js ecosystem growing by leaps and bounds — 15 million downloads per month, more than a billion package downloads per week and well more than 350,000 modules — security is a key concern for Node developers and adopters.
With that as a launching point, the Node.js Foundation moved to oversee the Node.js Security Project which was founded by Adam Baldwin and previously managed by ^Lift Security, an application security company. The foundation announced this move at the Node.js Interactive North America 2016 conference in Austin, Texas last week.
As part of the Node.js Foundation, the Node.js Security Project will provide a unified process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem, the foundation said. Governance for the project will come from a working group within the foundation.
Baldwin said ^Lift Security has run the project for three years and it is time to broaden its reach. ^Lift Security’s parent company, &yet, began writing Node.js applications five years ago, and spun out ^Lift as a security consultancy that began to look at the security of the applications &yet was building. They began by looking at the threat model and where flaws could be introduced, he noted.
“The Node.js Security Project will become one of the largest projects to build a community around detecting and fixing vulnerabilities.” — Mikeal Rogers.
“Node core had some processes in place for doing things, but the majority of the things that we didn’t trust – we trusted core – were from the ecosystem,” Baldwin told The New Stack. “We wanted to know who were these people shipping this code and we were adopting their code, their practices, their security posture, their laziness and all of these things for good or bad.”
To do that Baldwin’s team began to delve into all that code and realized that no other ecosystem had such a security effort.
“PHP didn’t have this, Rails didn’t have this, Java didn’t have this,” he said. “So, we could start an effort, because we were so early on, to evangelize good practices, audit some code, give some guidance to the community and go give conference talks and spread the word of security and try to raise the whole ecosystem.”
Meanwhile, Mikeal Rogers, community manager for Node.js Foundation, said the Node.js Security Project does two important things for Node.js users. One is that it provides a single place to report any security vulnerability both in Node core and in the entire Node ecosystem of more than 350,000 modules.
“No other ecosystem has this and we’re in the most need of it because of that large ecosystem,” he said. “So that’s going to be really powerful.”
The second thing the project being part of the foundation will do is standardize the security data format and allow a lot of tools to be built for it.
One Stop Shop
Vendors will be able to provide security data sets that users can purchase and put on top of their environments.
“So now you have security researchers and inventors working on the same format so you can use all these great tools once you have data,” Rogers said. “We’ve seen an amazing collection of monitoring tools, tracing tools and debugging tools in the Node.js ecosystem because Node has not tried to build that tool, we’ve tried to build these really important core components that people extend. That’s where we really thrive is in building great ecosystems.”
The Node.js Foundation will take over the following responsibilities from ^Lift:
- Maintaining an entry point for ecosystem vulnerability disclosure;
- Maintaining a private communication channel for vulnerabilities to be vetted;
- Vetting participants in the private security disclosure group;
- Facilitating ongoing research and testing of security data;
- Owning and publishing the base dataset of disclosures, and
- Defining a standard for the data, which tool vendors can build on top of, and security and vendors can add data and value to as well.
Rogers noted that last year Node.js Foundation worked with The Linux Foundation’s Core Infrastructure Initiative to form the Node.js Core Security Group to encourage security best practices. Now, by overseeing datasets of vulnerability disclosures, which will be publicly available and openly licensed, the foundation is building on this work and expanding its role in enhancing Node.js through strong security governance, he said.
“The Node.js Security Project will become one of the largest projects to build a community around detecting and fixing vulnerabilities,” Rogers said in a statement. “Given the maturity of Node.js and how widely used it is in enterprise environments, it makes sense to tackle this endeavor under open governance facilitated by the Node.js Foundation. This allows for more collaboration and communication within the broad community of developers and end users, ensuring the stability and longevity of the large, continually growing Node.js ecosystem.”
Moreover, the security project will bring a solid stability story to the Node ecosystem, Baldwin said.
“It’s going to generate more excitement from members of the foundation and from outside contributors to contribute their time and energy to deal with vulnerability disclosures to contribute to best practices,” he said. “They want to be a part of that working group because it’s not now controlled by a vendor.”
Foundation officials said a Node.js Security Project Working Group will be established in the next few weeks to begin validating vulnerability disclosures and maintaining the base dataset. Members from the foundation’s Technical Steering Committee and Core Technical Committee are encouraged to join the working group and provide input on GitHub, Rogers noted.
“The Foundation will be able to funnel contributions from numerous vendors, developers and end users to create an incredibly useful baseline of data sets that will be available to anyone,” Baldwin said in a statement. “This ensures broader reach and long-lasting viability of the project to encourage availability of more security tools, which is increasingly in demand among Node.js enterprise developers and users.”
Baldwin noted that upon initially exploring the security of the Node.js platform him and his team at ^Lift didn’t notice that Node had any more security vulnerabilities than any other ecosystem. The same mistakes get made — as developers come from one platform they make the same mistake in another, he said.
“And you get the same kind of bugs in the third-party libraries,” he said. “There’s a very tiny amount of surface area in the VM layer that we haven’t really seen any security problems with, where other platforms have seen a couple.”
Feature image: Street art, Mexic-Arte Museum, Austin.