Loading…

October 10 -12 - Vancouver, BC
Click for Node+JS Interactive Information & Registration

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security [clear filter]
Wednesday, October 10
 

11:00am

Passwords Are Dead, Long Live Passwords! - Alejandro Oviedo
Passwords have been used as the main method of authentication since the WWW was born. Their biggest flaw is that their effectiveness depends on their entropy, and humans are a bad source of entropy. Progress has been made at this time as multiple factors for authentication are now more and more common. This talk is about the Web Authentication API that is being worked on, how it fits in the current ecosystem of web apps and why it's important for users.

Speakers
avatar for Alejandro Oviedo

Alejandro Oviedo

Senior Platform Engineer, Beamery
Alejandro is a developer who loves learning new things. He is passionate about education, electronics, Open Source, and community-driven events.



Wednesday October 10, 2018 11:00am - 11:30am
West Ballroom B
 
Thursday, October 11
 

2:00pm

Panel: Building a Secure Ecosystem for Node.js - Moderated by Liran Tal, Nielsen
Over the last year, the Node.js security working group has been working to build trust and make the ecosystem safer through a number of initiatives. During this panel discussion, members of the working group, security researchers, and companies deploying Node.js will discuss some of the key challenges and progress to make the Node.js platform and ecosystem safer. We’ll cover it all including security reporting, internal triaging processes, CVE assignment, and current and future initiatives to strengthen security measures in the ecosystem.

Moderators
avatar for Liran Tal

Liran Tal

Developer Advocate, Snyk
Liran Tal is a Developer Advocate at Snyk and a member of the Node.js Security working group. He is a JSHeroes ambassador, passionate about building communities and the open source movement and greatly enjoys pizza, wine, web technologies, and CLIs. Liran is also the author of Essential... Read More →

Speakers
avatar for Michael Dawson

Michael Dawson

IBM Community Lead for Node.js, IBM
Michael Dawson is an active contributor to the Node.js project and chair of the Node.js Technical Steering Committee(TSC). He contributes to a broad range of community efforts including platform support, build infrastructure, N-API, Release, as well as tools to help the community... Read More →
SE

Stephanie Evans

Content Manager for Back-end Web Development, LinkedIn
Stephanie Evans is the Content Manager for Back-end Web Development at LinkedIn Learning/Lynda.com, where she oversees Node.js courses that range from helping developers build their first server to testing, securing, deploying, and maintaining Node apps. She’s worked in education... Read More →
avatar for Vladimir de Turckheim

Vladimir de Turckheim

Software Engineer, Sqreen
V. works as a software engineer at Sqreen where he builds a tool to secure web applications. He used to be a professional security auditor and a web developer in agencies.    He is one of the most active members of the Node.js Security Working Group where he handles the security... Read More →


Thursday October 11, 2018 2:00pm - 2:30pm
West Ballroom B

2:40pm

Building a Threat Model & How npm Fits Into It - Adam Baldwin, npm
Who might want to attack your application? If they tried, how would they succeed? Answering these questions is an important exercise that helps you understand how to keep your application secure, so you can sleep at night.

In this talk, Adam will teach you what threat modeling is and how to build threat models for your organization and applications. Because npm is such a critical part of how your developers build JavaScript applications, Adam will show you how npm fits into your threat model and how to use npm's tools to keep your JavaScript secure.

Speakers
avatar for Adam Baldwin

Adam Baldwin

VP of Security, npm
Adam Baldwin is VP of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking... Read More →


Thursday October 11, 2018 2:40pm - 3:10pm
West Ballroom B
  • Experience Level Any

3:20pm

Node.js Applicative DoS Through MongoDB Injection - Vladimir de Turckheim, Sqreen
Applicative Denial of Service is mostly known through Regexp abuse. Most people do not know that other applicative DoS can be exploited through diverse means. In this talk, we will see how a malicious user can obtain a MongoDB injection and use it to prevent an application from responding.

Intro: Applicative DoS
I. From SQL injections to NoSQL injections
II. Exploiting a NoSQL injection to obtain a DoS
III. Protecting an application from MongoDB applicative DoS

When speaking about security in the Node.js world, most efforts have been in direction of the choice of packages. However, most security issues are not coming from third-party modules but from misuse of them.

This talk aims at showing how fragile an application can be and how one should protect it.

Speakers
avatar for Vladimir de Turckheim

Vladimir de Turckheim

Software Engineer, Sqreen
V. works as a software engineer at Sqreen where he builds a tool to secure web applications. He used to be a professional security auditor and a web developer in agencies.    He is one of the most active members of the Node.js Security Working Group where he handles the security... Read More →



Thursday October 11, 2018 3:20pm - 3:50pm
West Ballroom B