Posted by Ksenia Dmitrieva on May 3, 2016
There is a lot of documentation on how to use the frameworks, but there isn’t much literature yet about how to use them securely. Some good resources exist for tracking security issues and fixes, such as Node Security Project, but there isn’t a vast knowledge of security development standards and guidelines, as we have for more mature languages like Java and .Net.
One of the reasons why there aren’t many really good tools is because of the third reason—the complex dependencies between frameworks. Although they are open source and all of the source code is on GitHub, when one framework is built on top of another and it also uses multiple middleware components, which in turn use other libraries and packages, we are bound to get vulnerabilities such as the zero-day in the Socket.io’s dependency on Node.js.
This one-day training not only discusses common vulnerabilities in Node.js, Express.js, and AngularJS, but also provides hands-on labs that allow attendees to learn best practices of defensive programming in these frameworks. Attendees will analyze the security posture of HTML5 technologies like cross-origin resource sharing (CORS), content security policy, Web messaging and Web storage, how they add to the attack surface of web applications, and how to use them in a secure way. After a full day of training, attendees will walk out with a great deal of hands-on security knowledge that is not present on Stack Overflow or in a framework’s documentation pages.