Security and You

Only you can prevent data breaches*

*in collaboration with your team

## Overview - npm - Application Security - Beyond the FUD

# npm - `event-stream` Hijacking - `cross-env` Typosquatting - What to do about it?

## `event-stream` Hijacking https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/ Go here: https://www.npmjs.com/package/event-stream

## Timeline - Sept 2018: Dominic Tarr grants `right9ctrl` publish rights to `event-stream` - Sept 9, 2018: `flatmap-stream@^0.1.0` is added in `[email protected]` - Oct 5, 2018: `[email protected]` is published - Nov 20, 2018: FallingSnow [opens an issue about the malicious code](https://github.com/dominictarr/event-stream/issues/116) 48 days later

## Semver / Abuse Details ``` // event-stream 3.6.6 package.json { ... "dependencies": { "flatmap-stream": "^0.1.0" } } ``` Matches `[email protected]`

## Semver / Abuse Details `[email protected]` is published with malicious code ``` // event-stream 3.6.6 package.json { ... "dependencies": { "flatmap-stream": "^0.1.0" } } ``` Matches `[email protected]`

## What did it do? - Searched for projects that depended on `copay-dash`, using the package description - Installed itself when a script matching `/bulid\:.*\-release/` was run - Ran on a user's phone and stole their bitcoin wallets

## How was it found? The malicious code used a deprecated API in NodeJS: [crypto.createCipher](https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options). Projects that use `event-stream` but didn't use `crypto` started noticing deprecation warnings. People started to investigate.

## How did this happen? Basically, Dominic Tarr didn't want to maintain the project so he gave it to someone who wanted to maintain it. [Here's his statement on it](https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a).

## `cross-env` Typosquatting https://snyk.io/vuln/npm:crossenv:20170802

## What happened? The package `crossenv` was published. It provided all the functionality of `cross-env` in the hope people wouldn't notice it was stealing their creds.

## What did it do? - Sent all environment variables to a remote server - Used a `postinstall` script to do it

## What to do about it? - YAGNI - Pay close attention to `package-lock.json` changes - Ignore `run-scripts` - snyk / npm audit

## Application Security - Headers - Infrastructure - OWASP Top 10 - Logging

## Headers Boring but important. https://nullsweep.com/http-security-headers-a-complete-guide/

## Content-Security-Policy Defines: - where resources may be loaded from - how they may be loaded - and whether they can be loaded at all https://scotthelme.co.uk/content-security-policy-an-introduction/

## Access-Control-Allow-Origin / CORS Defines what websites can load your content Defaults are usually fine, only a real problem for local development

## Strict-Transport-Security Tells the browser your website can only be loaded over HTTPS

## Useful tools https://observatory.mozilla.org/ - Security ratings https://securityheaders.com/ - Same deal

## Infrastructure Understand the environment in which your code will be deployed. It does not exist in a vacuum.

## Good questions - What parts of the service are available publicly? - How trustworthy are the inputs to the system? - Can we easily cycle access keys if we need to? - How sensitive is the data we store?

## OWASP Top 10 Not all of them are relevant to us, but some are and offer a useful set of things to keep an eye out for when reviewing code. Many of these are prevented by using managed services.

## Pop quiz How many of them can we name? https://www.cloudflare.com/learning/security/threats/owasp-top-10/

## Logging Logging is great for debugging and a required practice when developing an application. Logging too liberally is the cause of a number of data issues with [Twitter](https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/), [Facebook](https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/), and [GitHub](https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/).

## Over-logging ``` typescript async function handler(context: Context, event: any) { const logger = new Logger(); try { // Some code that errors } catch(e) { logger.error(`Request: ${event}. Error: ${e}`); } } ``` Depending on how confident we are about what is in `event`, this may be logging too much information.

## Audits Audit logs include more context than application logs. They allow you to track who did what at any point in time. These are required in a SOC2 / PCI DSS world. [Average time to identify and contain a breach: 279 days](https://databreachcalculator.mybluemix.net/)

# Beyond the FUD - Credentials - Automation - npm Improvements - Collaboration

Credentials

Cycle them regularly
- It's a pretty quick process
Show off cycle-aws-creds
Use role assumption

## Automation We can automate a number of processes for security: - Credential rotation - Deactivate keys older than 90 days - Service scans like `nmap` or [fuzzing](https://www.owasp.org/index.php/Fuzzing) - Dependency vulnerability scans

## Snyk - Talk about Snyk for a while

## npm improvements - npm audit / npm doctor - Use a private repository - [npm 2fa](https://docs.npmjs.com/about-two-factor-authentication) - [npm acquired security companies](https://blog.npmjs.org/post/172793182214/npm-acquires-lift-security-and-node-security)

## Collaboration We should review code not just for correctness, but for security as well.

## Resources - [Analysis of an Exploited NPM Package || Jarrod Overson](https://www.youtube.com/watch?v=2cyib2MgvdM) - [The State of Node.js Security [I]](https://www.youtube.com/watch?v=14IJEjTcG9g) - [10 npm Security Best Practices](https://snyk.io/blog/ten-npm-security-best-practices/) - [OWASP Cheat Sheet](https://cheatsheetseries.owasp.org/)