Oh Node!

JavaScript security issues loom over Node.js

Lucy Carey
argh

Developers on urged to be aware of potential issues from client-side cousin.

 

First up, if you’re using the hugely popular
Node.js, don’t panic, we’re not here to deliver a bleak prophecy of
Java-applet scale plagues. In fact, Node.js itself is pretty
watertight. Its JavaScript core however is another story. Prompted
by a few recent

issues
,
security experts
have advised Node.js users
to follow JavaScripters and up their defenses.

A critical tool at places like PayPal and
Wal-Mart, the  speedy, scalable server-side JavaScript
platform also plays a role in helping to ensure the security of
financial transactions and various other kinds of enterprise client
data. Although immensely helpful, the innate characteristics of the
Node.js platform and server side JavaScript also make them
particularly vulnerable to attack.

According to Adam Baldwin, chief security
officer at security consulting firm Lift Security, whilst key
issues are rooted in Node’s JavaScript core, “the execution context
of V8, the JavaScript engine Node uses, is entirely different than
a browser because it executes on the server. That difference adds
some unique surface area [for attacks].”

Mark Stuart, a senior UI engineer at PayPal,
chimes in that  developers should ensure they are using
reliable security defaults and scanning modules, warning that,
 ”Node is still JavaScript, so eval and all the terrible
things on the client side still exist on the server
side.”

Baldwin is an expert in all things relating to
Node security, heading up
Node Security Project
around his daily role. The key goal of this initiative is to
eventually audit every single module in npm. In addition to this
impressive target, the project wants to provide advisories, issues
and pull requests so modules get fixed, as well as  a public
API and DB of audit results.

Although still in its infancy, overall, the project
appears to be a welcome addition to the youthful Node-iverse.
Ultimately, Baldwin and his team hope that the project will not
only help improve the security of the Node landscape on a technical
level, but also bolster confidence among developers and enterprises
about the state of security in Node.js.

Author
Comments
comments powered by Disqus