Half of Audited JavaScript Projects Contained a Vulnerability (theregister.co.uk) 62
NPM Inc. added a feature to JavaScript's package manager this spring letting users type npm audit fix to replace old, insecure project modules -- and the Register asked them how it's going?
Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they're running 3.4 million security audits a week. Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability. In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn't have data on how many people are choosing to fix flagged flaws. "But what we've seen from pull requests suggests it's gaining traction," he said.
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
Re: Offer doesn't mean force. Democrat? (Score:2, Insightful)
Re: (Score:2)
This will be abused (Score:2)
Re: (Score:2)
These apk trolls are weak and lame, I want the actual apk back dammit. I'm honestly beginning to think that real apk has kicked the bucket, or just got fed up of /.
Re: (Score:2)
All of this is extremely true, and he's been incredibly hateful toward me for many years, but something about triggering his ire reminds me that I'm still alive!!
Successfully winding up a troll like apk is more satisfying than it should be. I don't know why, but there you have it.
Re: (Score:2)
Jesus feckin' Christ, a wall of Jew Hate in the apk style - not sure what to think! Questions arising -
1) Why is this posted in reply to my comment admitting to reverse-trolling apk? *aha! maybe it's like reverse racism, if you troll a troll then you are not trolling!
2) Where is this sourced from???
3) If you did write this specially for this post, you spent a long time doing so. Why??
Re: (Score:2)
TRIGGERED! Boom! (Head. Off!) lol
Re: (Score:2)
All we want is a bit of shalom, can't we all just get along?
Only half? (Score:1)
More secure than Windows.
or in other words half poorly audited (Score:1)
Re: or in other words half poorly audited (Score:1)
Re: or in other words half poorly audited (Score:1)
NPM's audit function finds known, patched vulnerabilities in the dependency chain. That's all. ;)
Simple solution: (Score:4, Interesting)
Stop using JavaScript to do backend operations!
Re: (Score:1)
Obvious outcome for low barrier to entry. Any Stackoverflow copy-and-paste dev or front end kiddie who fancies themselves an engineer can throw together crappy JavaScript code, and the rest of us have to use it indirectly on the web because companies think it's a good idea to use that garbage.
Thanks nodejs!
It's the language (Score:5, Insightful)
A while ago someone said here that "buffer overflow exploits are the low-hanging fruit of hackers, once they are gone there is plenty of other stuff." And that person was right.
Look on the bright side ... (Score:4, Insightful)
Half of audited JavaScript projects *don't* contain a vulnerability. Seems like a win.
Re: (Score:1)
No, at least half do. The other half don't contain vulnerabilities the researchers currently know about and looked for.
Password checking (Score:1)
So they will send my plain text or unsalted & hashed password over the TLS-wire to the "trusted" pwned DB for a match?
No thanks!
Re: Password checking (Score:1)
Of course every password is unique, but now me, the site I want to sign up, and some untrusted 3rd party all have my password.
I guess the answer is multi factor auth everywhere.
Want but don't want to happen (Score:5, Insightful)
My experience is that large corporations want security and compliance. What they don't want to do is actually change anything to achieve it, especially if that changing happens on anything other than their schedule. Updating dependencies to fix security issues means having to revalidate and recertify the entire software stack, after all, and they want to avoid that at all costs. They'll only grudgingly do it when some outside agency credibly threatens them with fines and penalties that exceed the cost of the recertification. This is particularly silly since if you keep up with updates regularly it's a relatively painless process that usually doesn't break anything and if it does you've got plenty of time to fix it on your schedule. It only becomes an issue when you've avoided updates for so long that your versions of the dependencies are obsolete/unsupported and the current versions have major API redesigns or have been completely replaced by something with a different API. That's when it gets painful.
This is what happens when maintenance is considered a cost center rather than a necessary aspect of earning revenue. It's like considering janitorial services to be a cost center: pretty quick your business gets filthy and nobody wants to come in the door.
Only 1/2? (Score:3)
Hey, things are looking up for JS!
JavaScript (Score:2)
JavaScript itself is a vulnerability. Why do I have domain blocking of CSS but not JS in browsers?
No better reason ... (Score:3)