Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node.js Security Initiatives 2024 #1255

Closed
RafaelGSS opened this issue Mar 14, 2024 · 16 comments
Closed

Node.js Security Initiatives 2024 #1255

RafaelGSS opened this issue Mar 14, 2024 · 16 comments

Comments

@RafaelGSS
Copy link
Member

RafaelGSS commented Mar 14, 2024

Hey!

Since May 2023 the Security team has been working on the following initiatives:

  • Permission Model (2 Phase) - (Done)
  • Automate update dependencies (Done)
  • Assessment against best practices (Done)
  • Automate Security release process (In progress)

As always, I want to express my gratitude to everyone who contributed to our latest project. The work was exceptional. During today's meeting (#1245), we discussed the need to explore new initiatives to enhance the Node.js security ecosystem. Therefore, I would like to use this issue as a forum for brainstorming and sharing ideas. Please feel free to share any problems you've encountered and any potential solutions you may have. Even if you don't have a solution in mind, please share the problem anyway. All input is welcome. This thread will be reviewed and discussed through the Node.js Security team meetings (feel free to join).

@nodejs/security-wg

@marco-ippolito
Copy link
Member

marco-ippolito commented Mar 14, 2024

I think SBOM should be an initiative for this year

Ref: #1115

@mhdawson
Copy link
Member

mhdawson commented Mar 14, 2024

I think we should make the work to audit the build processes of the dependencies an initiative for 2024. It both aligns well with the emphasis on supply chain security and should also help the project to limit the risk of issues during security release.

Ref: #1037 #1236

@mhdawson
Copy link
Member

Proposal from discussion in the meeting today for 2024

  • Permission Model (2 Phase)
  • Assessment against best practices
  • Automate Security release process
  • Including SBOMs with Node.js
  • Audit and improving the build processes of Node.js dependencies

@UlisesGascon
Copy link
Member

UlisesGascon commented Apr 13, 2024

Given the recent discussions around the xz incident, I suggest including a new initiative dedicated to mitigating potential threats originating from similar vectors within the organization.

As an outcome of this initiative, I propose to:

  • Evaluate the current situation of the project regarding this scenario.
  • Prepare a list of potential changes to increase our resilience against this kind of threat.
  • Share our learnings openly so that other projects within the OpenJS Foundation and outside can benefit from them.

ref: #1282

@RafaelGSS

This comment was marked as resolved.

@RafaelGSS

This comment was marked as duplicate.

@RafaelGSS
Copy link
Member Author

RafaelGSS commented Apr 25, 2024

Code Integrity feature for Node.js.

@rdw-msft can you provide more details on this?

@RafaelGSS
Copy link
Member Author

RafaelGSS commented Apr 25, 2024

Include a "Defense in Depths" policy to Node.js Threat Model.

@mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)


Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

@RafaelGSS

This comment was marked as duplicate.

@GeoffreyBooth
Copy link
Member

Code Integrity feature for Node.js.

Regarding this, there’s a WIP PR for import maps: nodejs/node#49443. Import maps could be used as a place to store the subresource integrity hashes for modules: https://github.com/guybedford/import-maps-extensions#integrity. This would require some coordination with standards bodies such as WICG and WinterCG. cc @guybedford

@RafaelGSS
Copy link
Member Author

RafaelGSS commented Apr 29, 2024

Permission Model adoption on Package Managers: #1300

@rdw-msft
Copy link

rdw-msft commented May 1, 2024

Include a "Defense in Depths" policy to Node.js Threat Model.

@mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)

Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

@RafaelGSS
Copy link
Member Author

Improve CII Best Practices and reach silver badge.

@RafaelGSS
Copy link
Member Author

Defining scopes of the Security team

@RafaelGSS
Copy link
Member Author

Selected Initiatives for 2024:

    1. Automate Security release process - Champion: @RafaelGSS / @marco-ippolito
    1. Node.js maintainers: Threat Model - Champion: @nodejs/security-wg
    1. Audit build process for dependencies - Champion: @mhdawson

Please note we have skipped item 3 (SBOM) as we don't have a volunteer for that. If you are interested in moving forward with this initiative, join us.

Refs: #1319

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants
@GeoffreyBooth @UlisesGascon @mhdawson @RafaelGSS @marco-ippolito @rdw-msft and others