Node Security Project Aims at Making Node.js More Secure
Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."
The project plans to perform this audit in a distributed way through a ticketing system that will provide the backbone for handling advisories, issues and pull requests so that modules can get fixed through Node's community help.
As blogger \0/ bish \0/, who defines himself a security enthusiast, writes, there is a combination of factors in Node.js that developers should be particularly aware of. The first one is the presence of
eval, "that can be trivially exploited to do server side injection". Another is "the event driven single threaded programming model" so that "a simple error can create a denial of service condition". He also adds that "to be safe, anti-patterns like implied globals, with, eval, should be avoided." \0/ bish \0/ also shows in his post a few, incorrect ways that using those language features may lead to exploits.
Thus, it is not that Node.js is intrinsically a less secure technology than others, since the dangers mentioned above are also present in other widely used server-side languages. Rather, as Adam Baldwin says in an interview to Modulus, it is a matter of raising developers awareness of security concerns that affect the Node platform:
The Node Security Project is an effort to change the way we approach security within the node community, a focused effort to evangelize security principles, audit modules created by the community, and publish the results.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015