Friday, August 26, 2016

NodeJS Security Considerations

In my previous post I showed how to verify whether our installed node modules are out dated or not. New releases of modules will definitely have fixes for variety of issues. However, that is not enough as a developer. We need to verify whether there are vulnerable code anymore in our modules. Further we need to certify whole lot of dependency tree.
By using npm ls command we can view the dependency tree.
This will show a huge list. To have a graphical view of each module we can use http://npm.anvaka.com/.
In fact, we can not thoroughly look into each and every package for security issues. Therefore we will use a node package for that. Install retire npm package.
Then inside your node project run retire command like below. Then you will see list of vulnerabilities and their vulnerability level.
We can use Node Security Command line tools from https://github.com/nodesecurity/. nsp is the most commonly used module which use an API to check vulnerabilities. First install nsp as a global module.
Then run nsp check command while inside your project.
As a NodeJS developer, we should verify and remove for unused packages in our project. Easiest way is to use depcheck tool. First we need to install it.
Then we can run depcheck command inside our project.

No comments:

Post a Comment