Defensive coding practices for secure Node apps
Being lightweight and efficient, Node.js has rapidly become a platform of choice for building fast, scalable, and I/O intensive modern applications. Although there’s a widespread Node.js adoption for diverse use cases, security is arguably the least-explained topic and one of the top concerns for Node.js developers today.
What you'll learn-and how you can apply it
By the end of this live, hands-on, online course, you’ll understand:
- Asynchronous programming model and error handling mechanisms
And you’ll be able to:
- Understand how a malicious attacker thinks about your application by finding and exploiting these vulnerabilities
- Incorporate defensive coding practices to bake-in security in your apps from the beginning
- Efficiently conduct a security code review of a Node.js application.
This training course is for you because...
- You’re a developer looking to improve the security of your Node.js application
- You work as part of a security team and want a fundamental understanding of security issues specific to the Node.js platform.
- Verify that you have Node.js 8.x or above installed locally, as well as Visual Studio Code (or another IDE of your choice) and Git.
About your instructor
Chetan Karande is a full stack web developer, security researcher, author, speaker at developer conferences. He is the author of Securing Node Applications (O’Reilly). He is the project leader for the OWASP NodeGoat project and contributor to multiple open source projects.
The timeframes are only estimates and may vary according to how the class is progressing
Opening Exercise (10 minutes)
- Getting familiar with the hands-on lab code and pre-assessment for security issues
Node.js internal Architecture (15 minutes) Presentation: Review key building blocks of a Node.js server Discussion: Strengths and security weakness of the architecture choices
- Presentation: Node.js and V8 runtime constraints and security attacks exploiting them
- Hands-on exercise: Code review to find vulnerabilities exploiting system constraints
- Break (5 minutes)
Insecure deprecated Node.js methods (15 minutes)
- Presentation: Review commonly used Node.js features that are deprecated due to security issues.
- Break (5 minutes)
Error handling for Asynchronous Programming Model (20 minutes)
- Presentation: Node.js consistent non-blocking programming interface and error handling per asynchronous programming mechanism
- Hands-on exercise: Code review to find incorrect/missing error handling
Unsafe use of Node.js methods with access to System Resources (20 minutes)
- Presentation: Security attacks exploiting access to system level resources.
- Hands-on exercise: Code review to find unsafe use of Node.js methods allowing unexpected access to system resources
Recap, further learning, and wrap-up (15 minutes)