There is a lot of documentation on how to use the frameworks, but there isn’t much literature yet about how to use them securely. Some good resources exist for tracking security issues and fixes, such as Node Security Project, but there isn’t a vast knowledge of security development standards and guidelines, as we have for more mature languages like Java and .Net.
One of the reasons why there aren’t many really good tools is because of the third reason—the complex dependencies between frameworks. Although they are open source and all of the source code is on GitHub, when one framework is built on top of another and it also uses multiple middleware components, which in turn use other libraries and packages, we are bound to get vulnerabilities such as the zero-day in the Socket.IO’s dependency on Node.js.
Ksenia Peguero, is a senior research manager at Synopsys, where she is managing the R&D team for the Rapid Scan Static engine, the next gen approach to SAST. Her research expertise ranges from security of web stack, to mobile languages, to cloud environments, and infrastructure as code. Before diving into research and engineering, Ksenia had a consulting career in a variety of application security practices including penetration testing, threat modeling, code review, and static analysis tool design, customization, and deployment. During her decade in application security, Ksenia has established and evolved secure coding guidance and practices for many firms, developed and delivered numerous software security trainings, and presented at conferences around the world, such as RSA and OWASP AppSec Global. Ksenia holds a Ph.D. in Computer Science from George Washington University.