Posted by Ksenia Peguero on May 3, 2016
There is a lot of documentation on how to use the frameworks, but there isn’t much literature yet about how to use them securely. Some good resources exist for tracking security issues and fixes, such as Node Security Project, but there isn’t a vast knowledge of security development standards and guidelines, as we have for more mature languages like Java and .Net.
One of the reasons why there aren’t many really good tools is because of the third reason—the complex dependencies between frameworks. Although they are open source and all of the source code is on GitHub, when one framework is built on top of another and it also uses multiple middleware components, which in turn use other libraries and packages, we are bound to get vulnerabilities such as the zero-day in the Socket.io’s dependency on Node.js.
Get the latest AppSec news and trends sent directly to you.