Nodebestpractices: Security best practices - kicking off

Created on 29 Jan 2018  Β·  77Comments  Β·  Source: goldbergyoni/nodebestpractices

@BrunoScheufler @lirantal

I'm excited to Kick-off the security best practices section. Our goal is to reach a 20+ bullets security checklist that is highly comprehensive and curated. We work on this branch that already contains 14 titles

I suggest the following workflow:

A. TOC first: Write the bullets title – each can add, remark on the titles themselves until we reach a comprehensive list that is MECE (mutually exclusive and collaboratively exhausting). Note that going by our content guidelines we don’t include general security principle that can be found easily in many articles – we focus on bullets that can be correlated directly to Node. Generic security advice are grouped under a single bullet

B. Finalize the bibliography – gather a list of 5-10 great sources that explain the topics. This is needed to quote articles and include nice visuals. Liran’s book is, of course, a great candidate as a primary source for great content

@Liran – we shall soon add a bibliography section to the repo, your book can appear there if you will

C. Write the content (inner pages) – assign topics to write, each writes as many topics that he can (0-20 😊)

D. Language proof – Bruno will revise the content grammar and the overall lexical quality

E. Promotion – publish as medium/hacker-noon article, SEO tricks, send to Node weekly, Node Twitter, reddit and many other techniques we constantly use successfully

How does this plan sounds like?

new best practice

Most helpful comment

I wish I could further help guys but looks like it's going to be a bit busy in the next couple of months.
I won't be able to pick up items to review but if there are specific items/questions that need addressing I'd love to help.

All 77 comments

@i0natan awesome stuff! I'll have a look at it tomorrow and will also select some points to work on the TL;DRs and content, if nobody has picked their bullet points until then πŸ‘

Sounds great, thanks for reaching out @i0natan. I'll probably get around to it tomorrow evening.

@BrunoScheufler looking forward to working together on this.

@BrunoScheufler let's take the discussion about the actual content/title in #33 and leave this thread for high-level status/roadmap plan.

@lirantal @BrunoScheufler

I think we're almost done with A, right?

How about adding 2-3 more bullets (marketing-wise, 20+ is important), we can scratch our heads to find few more, and in the interim collaborate on B. Then in few days, we can be ready for phase C (writing the content). What do you think?

@i0natan it seems we slightly mixed up some of the points (in a good way) but nonetheless it's getting closer to what we expect from the section, I think the next step might be revising and adding content where needed and also searching resources to share with the topics.

Great progress indeed!

@BrunoScheufler maybe you want to handle B with some research?
@i0natan regarding C and the content, it's a bit tricky for me specifically since most if it is in the book, but of course the information itself is out there and not a secret. How about it if I re-use some level of contents and examples from the book and would link to it in the different sections?

@lirantal I'd be happy to do the research and gather some resources!

@BrunoScheufler let's have a thread/issue with security resources, then we can pick the Top X

@lirantal my only concern is keeping the same formatting and principles, can we try 1 bullet to see how it looks like? note that the pages have a format for quoting resources and it includes a link to the source

anyway, will put a bold link to your book + I meant to write myself more than few bullets (if needed)

https://github.com/i0natan/nodebestpractices/blob/master/writing-guidelines.md

@i0natan I'll open an issue for the resources myself later, will look for resources specifically matching our bullets and maybe some general resources for web application security

@i0natan formatting is ok, I meant about content being same/very similar to content from the book. See this: https://github.com/i0natan/nodebestpractices/pull/137

@lirantal got it. I think it looks good and serve our purposes well

I'm gonna be somewhat busy for the near-term (couple of weeks) so will try to be responsive as possible but probably won't be able to invest a lot of work into the documentation of things, or will be delayed until weekends and such. I think we're good on the overall bullet list, and the read more sections can be based off of my book if we're good with that or other resources that you guys come up with.

@BrunoScheufler I dropped a link to a free copy of the book in your e-mail inbox so you can use that to update the relevant sections if you wish, or just read it before bed, good stuff there πŸ˜„

@lirantal oh that's why I got the book :smile: thanks for your great work over all, I'll look into reading the book to find additional content options! :+1:

Oh gotcha! Apologies for not thinking about it sooner :-)

@lirantal

I'm gonna be somewhat busy for the near-term

Cool & good luck, I suggest whenever you have that short time in the next week, focus on A&B (finalizing the bullets list, we need 2-3 more and deciding on the final resources). Try to think what Node-related items we can add to reach 21 items + what are the canocial resources that should drive our writing

Afterward, we can all take the writing very slowly. Maybe even Bruno & I can write most of it

don't worry, I'm not going anywhere, just less active for a short bit :-)
will focus on A&B as suggested πŸ‘

thanks guys, this is really progressing well!

@i0natan we can share the state of the section here, think of additional points and content together and work on it!

I have an idea to contribute to this section - what is the best way to go about this? PR?

@js-kyle just for the repo, checkout locally the security-best-practices branch and send a PR to merge to this repo of the same branch

@lirantal Awesome, thanks

@lirantal @BrunoScheufler @js-kyle

Just a heads-up: We now have a resources list and finalized our bullets list. I want to re-arrange the list (priority) and slightly adjust the titles to be more node-related. I'll do that by Thursday.

Then, we can start writing the inner pages based on the resources. You may start thinking which topics you wanna right. We can assign 2-3 weeks for the writing phase so no rush and you can pick how many you like (1-10)

Cool, I will pick some once you've sorted out the priority ordering

Hey all

I've got some spare time now so I am keen to get started on a couple of these - not sure if the priority order is set yet, however, first up I am keen to take:

  • Hide 'X-Powered-By' Express/Koa/etc headers
  • Protect your application endpoints using security-related headers
  • Limit concurrent requests using rate limiting balancer or a middleware

After that I'll check in on how we're going and grab some more depending on progress. Let me know if there are any problem with this!

Super!
I think we have some contents for the security headers text already in-place, but still maybe worth going through it and closing it.

@js-kyle awesome, but I have already worked on the secure headers point, although you might find something to add! πŸ˜„

@lirantal @BrunoScheufler @js-kyle

Only now I found the time to sort the list and adjust the titles. It's done, let me know what you think.

Let's all pick items to write about?

Please read the writing-guidelines to keep a consistent content style.

2 more thoughts:

  1. Prefer the reading experience over the tech details. Make it pleasant to read: provide examples, anecdotes, diagrams, etc. Use short sentences and clear ideas. Drop details that are hard to explain
  2. I would avoid specifying non-famous NPM packages on the tldr part to avoid subjective/flammable/debatable content in the opening part (not including Express, passport, etc).

Based on those changes, I'm keen to take the below first up:

6.2. Limit concurrent requests using a balancer or a middleware
6.7. Constantly and automatlically inspect for vulnerable dependencies
6.20. Hide error details from client (e.g. default Express behaviour)

@js-kyle cool. you may share the first for feedback before writing the rest. your call.

I'll wait for @lirantal and @BrunoScheufler to pick few then I'll take the rest (will need probably 3 weeks to accomplish my part)

If it's fine, I'd keep and update 6.5 (Common security best practices), 6.6 (Secure headers) and in addition to those pick 6.14 (Limit request payload size). Maybe I'll select another one too, but that'll be the first batch for me!

I'm good with any topic. So which titles does it leave me with?

@lirantal oppss, missed your message, I suggest you pick any topic/s, I'll do some other, just let me know which are your preferred?

@lirantal @BrunoScheufler @js-kyle - let's each write 2-3 items and then will get in sync and plan the rest? can we do it by Match 25th?

@i0natan that should work out. Will report back when I've got progress up πŸ‘

Hey all, I've checked in a PR to get some feedback early on, https://github.com/i0natan/nodebestpractices/pull/153

This is for 6.7. Constantly and automatically inspect for vulnerable dependencies

Thanks for the comment @BrunoScheufler, and @i0natan your comments make sense too, so i'll address those ones before this one gets moved along. Cheers!

I've addressed those comments, and added a new PR. Keen to merge that to the working branch once that has had another look over it πŸ‘

@js-kyle will have a look at it!

Which bullets have you guys self assigned? I'm interested to look at 6.11 if no-one else has started this

@js-kyle I've got 6.5, 6.6 and 6.14 assigned

I'm starting on Thursday and will take any bullet that you didn't. Just plz share here which bullets you handle to avoid duplications @js-kyle @BrunoScheufler

Will take up the points and start working as of tomorrow and the next days.

I wish I could further help guys but looks like it's going to be a bit busy in the next couple of months.
I won't be able to pick up items to review but if there are specific items/questions that need addressing I'd love to help.

slight delay on my part but absolutely plan to start writing in the next few days

Going to pick up 6.11 & 6.17 today

Submitted another PR for a review - 6.11, 6.15, 6.17.

6.17 is a bit light, keen to add a link to another blog but couldn't find any good articles for that bullet

@js-kyle awesome!

I'll be picking up work with my points again today if everything works out, due to being ill the last few days.

@js-kyle @BrunoScheufler

I'm doing 6.10 (validation) and 6.13 (avoid root) now. Noneone is writing this now, right?

I suggest everyone aim to pick some bullet will notify in advance

@lirantal @js-kyle @BrunoScheufler

Thoughts for new best practices:

Really interested to see Burp Suite!

Agree on DNS rebinding, unless we decide to add it as a smaller clause to bullet 5.3, but it could also warrant it's own article as part of this section

Yeah also not sure if DNS rebinding worth its own bullet.

Hacking tool benchmarks (Burp Suite) seems interesting enough

Going to pick up 6.8 in the next couple of days.

We're making some good progress here!

@js-kyle absolutely!

@lirantal do u suggest adding warning about "vulnerabilities like XSS, Parameter Pollutions" to 6.9 (sanitization) or 6.10 (validation)?

I think they should be added to both in the order you listed them (i.e: xss to 6.9 and pp to 6.10)

@js-kyle @BrunoScheufler

sharing heads-up - I blocked the time this week to write 6.13 and next week 6.18

@i0natan awesome, I'll look into formulating some guidelines for our code sections, not too strict but a basic direction we should head to: modern, readable code.

Hi, I found this repo and this tutorial. I would like you to consider them for this section.

@talentedandrew welcome and thank you. can u help us skim through the content and suggest specific bullets/ideas or where exactly where you position this tool?

@js-kyle @BrunoScheufler My next bullet is 6.18. Which items u plan to cover soon? happen to know how many left?

@i0natan I'd need to have an overview on who is currently working on which bullet. So you're choosing 6.18, I don't think any other bullet is currently being worked on, is there?

Happy to take on a couple more bullets. I'll post here once I decide on which one

@i0natan thanks for considering it. I find almost everything listed here important. If you want me to list some, here are a few that I think should be included
-1. Server Side JS Injection
-2.SQL and NoSQL Injection
-3.Log Injection
-4.Session Management
-4.1 Session timeout and protecting cookies in transit
-4.2 Session hijacking
-5.XSS Attacks
-6.Security Misconfiguration
-7.Sensitive Data Exposure
-8.Cross-Site Request Forgery (CSRF)
-9.Unvalidated Redirects and Forwards

@talentedandrew absolutely looks like a resource worth quoting from. Do you want to suggest/PR practically new bullet or quotes to existing security bullets?

@js-kyle @BrunoScheufler I suggest you just pick 2 items, I'd declare 2 items and then we can do the math - how many left? :)

From what I can tell, this is what we have remaining:

Currently being worked on:
6.9. Use middleware that sanitizes input and output - @i0natan
6.18. Run unsafe code in a sandbox - @i0natan

6.3 Extract secrets from config files or use NPM package that encrypts them - @js-kyle
6.12. Avoid using middlewares that crash the process - @js-kyle

6.4. Prevent SQL/noSQL injection with ORM/ODM or any other DAL packages - @BrunoScheufler
6.19. Take extra care when working with child processes - @BrunoScheufler

First of all, thanks @js-kyle for creating the current state overview!

@i0natan
I might as well work on 6.4 and/or 6.19!

@js-kyle great list. I'll pick 6.9 as well

Awesome, I updated the above list for current state, so all are now assigned.

Aiming to submit mine for feedback in the next few days

@js-kyle @BrunoScheufler Just an heads-up - we've some holiday here, I'll be back on Monday and write my next 2 in a week.

2 thoughts:

  1. Can we check if we cover all WASP 10 top threats? if yes, we may add some badge to the start of the security section
  2. Who's handling the generic list? I've an Excel list with 50 security best practices, we might copy from there many items. Then we can publish the article as "23 Node.js security practices (+20 generic security advice)

Both sound good to me!

@js-kyle @BrunoScheufler Hello from the middle east. Hope everything is cool.

Just finished the 'sandbox' bullet. What's the status on your end?

I suggest releasing this list in the beginning of July, does this work for you? what do you think about releasing this in medium.com, only the title+otherwise, links for "Read more" refers to the repo here. This way, it looks like a brand new post and not as an update to an existing repo (might gain more traction)

Beginning of July seems like a good target to me - I'm still working on my two remaining bullets.

As for the Medium article, that sounds good, I am guessing that will be paired with Reddit and Twitter posts?

@js-kyle Sure, Reddit + Twitter + NodeWeekly + Node official Twitter + FB groups and more

@BrunoScheufler Can you handle your items by the beginning of July or you want to forward some?

@i0natan I'll work on these items this week, I think I'll get done by then!

I'm starting on 6.12. Avoid using middlewares that crash the process

I might need some advice on direction for this one - I was going to mention validating/parsing input here but that is already covered as part of 6.10. Validate the incoming JSON - what was intended for this one?

Lastly, are there any objections to me removing bullet 4.4, as this is more appropriately covered with new bullet number 6.7 as part of the new security section? We could possibly do that as the last thing before merging otherwise all our notes here will get out of sync with losing a bullet number

@js-kyle Howdy!

6.12 seems indeed redundent, maybe you can convert it into "Prevent brute forcing your single threaded login routes" which is about limiting the number of allowed login/forgot password per username

See #186

About 4.4 - Not sure we should... Are the parts mutually exclusive or each is stand alone? what if someone is reading our testing practices only (e.g. setting his CI now) but don't have time to read the security section? Maybe link from item to item? not sure

@i0natan Cool, I have added that into my current working branch which includes the secret management work (PR #178 ), feel free to take a look.

I just need to address the comments on that one about using a vault, then I think that is all my points addresses, unless we have more things to tidy on this section :)

@js-kyle What's your telegram uname? I'd like to open a chat for collaborative planning of the security finalization

@i0natan just created one as js_kyle

Was this page helpful?
0 / 5 - 0 ratings

Related issues

noway picture noway  Β·  3Comments

jfgabriel picture jfgabriel  Β·  4Comments

MIKOLAJW197 picture MIKOLAJW197  Β·  4Comments

ryan3E0 picture ryan3E0  Β·  3Comments

goldbergyoni picture goldbergyoni  Β·  4Comments