The new year brings to light continued discussions surrounding maintaining and ensuring the security of one’s Node.js-backed systems and applications. The recent Node.JS Interactive conference in Austin, Texas showcased not only how developers and organizations are putting Node.js to use in their own ecosystems, but highlighted some of the top security concerns and best practices moving Node.js forward. On today’s episode of The New Stack Makers, TNS video reporter Norris Deajon scoured the show floor to speak with attendees, who came in from companies such as InMotion, HighGround, and Capital One.
When asked what their approach was to security in Node.js, event attendees had a variety of responses: “When using Node.js, I kind of took the general security precautions I take when working with application web servers. Authentication keys, data scrubbing, and making sure you’re using encryption and decryption for any kind of data that has to go back and forth,” said InMotion Senior Software Developer Christian Monsegue.
Highground Senior Software Engineer Tom Mitic noted that “We use the standard express module for security and the standard Node module. We’re fairly confident that Node keeps updating them as vulnerability are found.” Wyatt Pearsall countered this, adding, “Even if you’re aware of the vulnerabilities in your own code, you’re probably not watching as closely for stuff in your dependencies.”
Monsegue highlighted recent Regex DDOS attacks as something that most likely would not have occurred to many developers or engineers, at least not until it had already taken place. “When it happened, it was like a lightbulb went off in my head. It’s just like, ‘Wow, I never thought people were going to get through my system that way.”
When asked as to what security advice they would give others for working with Node.js, our guests also had a variety of differing opinions on the subject. When asked the question himself, Capital One Technology Fellow Azat Mardan voiced much of the Node.js community’s concerns succinctly: “Just the language by itself is not going to prevent developers from lazy habits like not validating data, or implementing application best practices. The best framework and the best platform in the world is not going to prevent that. It’s that developers need to learn those practices.”