SecAppDev 2020 Lecture Details

Lessons from the Node.js ecosystem bug bounty

Marcin Hoppe
Friday March 13, 14:00 - 15:30
Short description

The Node.js ecosystem bug bounty program allows us to dive deep into the most prevalent JavaScript vulnerabilities, take a look at the state of open source security research, and learn about responsible disclosure at scale.

Abstract

npm is a package manager for JavaScript and the largest registry of open source packages, currently hosting over 1 million modules. The Node.js Ecosystem Security Working Group and HackerOne operate a bug bounty program that covers all npm packages, including the most popular modules with well over 10 million weekly downloads. The program allows us to analyze common security flaws in JavaScript code in great detail and zoom into the mechanics of open source vulnerability management.

This session will present several case studies that highlight challenges and opportunities of open source security.

Key takeaway

Several case studies of vulnerabilities in popular JavaScript libraries, from discovery, through handling, remediation, all the way to disclosure.

Content level

Deep-dive

Target audience

Anyone interested in open source, bug bounties, responsible disclosure, and JavaScript security.

Prerequisites

Attending the "Blueprint for secure JavaScript development" session will be helpful.


Marcin Hoppe

Marcin Hoppe

Senior Manager, Product Security, Auth0

Marcin Hoppe leads the Product Security team at Auth0, an identity platform for application builders. He is passionate about building secure applications using JavaScript and promoting security best practices and responsible disclosure in this ecosystem. Marcin is also a member of the Node.js Ecosystem Security Working Group under the OpenJS Foundation where his work is focused on running the bug bounty program for third-party Node.js packages.

Full speaker profile


Related devops security sessions

Trust Management in SCONE

Lecture by Christof Fetzer

This session presents SCONE, a platform that uses Trusted Execution Environments (TEEs) to enable the delegation of operations to an untrusted provider while guaranteeing data confidentiality.

DevOps Security Friday March 13, 14:00 - 15:30

A practical view of security toolchains in DevSecOps

Lecture by Abhay Bhargav

You wanted to know about DevSecOps Pipelines, but didnt know whom to ask? This anecdotal, demo-filled talk delves into DevSecOps with strategies for tool orchestration, vulnerability management and more. Best yet, you can do all this for $0

DevOps Security Wednesday March 11, 16:00 - 17:30

The hitchhikers guide to secrets for cloud environments

Lecture by Abhay Bhargav

From API Keys to encryption keys, the number of secrets an average app requires is increasing. The talk will focus on secrets management for Kubernetes, AWS and Azure environments with some gotchas and implementation nuances

DevOps Security Friday March 13, 11:00 - 12:30