Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How npm Keeps JavaScript Safe

DZone's Guide to

How npm Keeps JavaScript Safe

With Node.js having exploded in popularity since the 2000s, how can the npm registry promise to stay secure? Here's how the defense is built.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Thanks to C.J. Silverio, CTO at npm, Inc. for sharing her presentation on Keeping JavaScript Safe & The npm Registry presented at Node Interactive 2017 in Vancouver.

C.J.'s been using Node since 2011 and watched it grow up. Node has been running in the npm Registry since 2014. npm has grown up too!

The story of the npm Registry mirrors the story of Node. npm is the infrastructure for millions of developers, engineers, and architects. It served Node packages 24/7 around the world. There are 3 billion downloads per week with 9 million users and 156,000 package authors (1.7% of the users).

In 2009, Node and npm's users knew each other by name. Today, the npm registry is too large to depend on community policing. That raises four questions:

  1. Is the registry secure?

  2. Does this package have vulnerabilities?

  3. Is this package malware?

  4. Who published this package?

Which leads to four answers, according to C.J.:

  1. "The registry is secure. It cannot be broken into and data in the registry cannot be tampered with. We do this with the help of ^Lift to perform periodic pen testing and ongoing code reviews. Security best practices are ongoing."

  2. "^Lift is the Node Security Platform (NSP). NSP reviews popular packages, reports vulnerabilities, and handles reports (see https://nodesecurity.io). Early access NSP data is integrated into the npm enterprise. npm Enterprise is a registry that sits inside your firewall. NSP and npm keep each other informed about vulnerabilities or anomalies."

  3. "Malware doesn't advertise and come in two flavors: spam and poison. Spammers found the registry in 2016. There are two kinds of spam: content and JS spam support. npm and CDNs built on top = trivial hosting for GA clickjacking. We now use machine learning (ML) to catch spam thanks to the Smyte service. Spam speedbumps include validated email to publish and disallowing throwaway addresses. We made a dent but the war will never end. Poison-flavored malware: typosquatting. Publishing packages with names that are very close to the real names. Historically this was competitive: authors would try to steal traffic to plump up their download numbers. Someone typesquatted moment.js with another date-formatting package. There was also the accidental JSONStream versus jsonstream. Recently it's been hefarious: typesquat of cross-env versus crossenv with env var stealer. Also typesquat of bluebird wrapping bluebird with a cryptocoin miner. As spiderman said, "with great popularity comes great annoyance." We now have an automated similarity checker. The war will never end as long as hackers are making money from it."

  4. "What happens if someone steals JDD's auth token and posts malware as lodash? That's scary but npm auth tokens are sensitive and we have new tools in the npm CLI to help you control auth token. New command: npm token helps control your auth tokens. Give your CI system a read-only token. CIDR-bound tokens bind tokens to IP ranges. You can further limit your tokens by controlling where they can be used. We now have two-factor authentication. You can use a TOPP code generation app like Google Authenticator, Authy, or something similar."

C.J. and her team are continuing to look for ways to accelerate CI testing by accelerating the registry for testing.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,npm registry ,node.js ,token

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}