security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Node.js Security Initiatives 2024

Open RafaelGSS opened this issue 1 year ago • 3 comments

Hey!

Since May 2023 the Security team has been working on the following initiatives:

  • Permission Model (2 Phase) - (In progress)
  • Automate update dependencies (Done)
  • Assessment against best practices (Partially concluded)
  • Automate Security release process (In progress)

As always, I want to express my gratitude to everyone who contributed to our latest project. The work was exceptional. During today's meeting (#1245), we discussed the need to explore new initiatives to enhance the Node.js security ecosystem. Therefore, I would like to use this issue as a forum for brainstorming and sharing ideas. Please feel free to share any problems you've encountered and any potential solutions you may have. Even if you don't have a solution in mind, please share the problem anyway. All input is welcome. This thread will be reviewed and discussed through the Node.js Security team meetings (feel free to join).

@nodejs/security-wg

RafaelGSS avatar Mar 14 '24 20:03 RafaelGSS

I think SBOM should be an initiative for this year

Ref: #1115

marco-ippolito avatar Mar 14 '24 21:03 marco-ippolito

I think we should make the work to audit the build processes of the dependencies an initiative for 2024. It both aligns well with the emphasis on supply chain security and should also help the project to limit the risk of issues during security release.

Ref: #1037 #1236

mhdawson avatar Mar 14 '24 21:03 mhdawson

Proposal from discussion in the meeting today for 2024

  • Permission Model (2 Phase)
  • Assessment against best practices
  • Automate Security release process
  • Including SBOMs with Node.js
  • Audit and improving the build processes of Node.js dependencies

mhdawson avatar Mar 28 '24 14:03 mhdawson

Given the recent discussions around the xz incident, I suggest including a new initiative dedicated to mitigating potential threats originating from similar vectors within the organization.

As an outcome of this initiative, I propose to:

  • Evaluate the current situation of the project regarding this scenario.
  • Prepare a list of potential changes to increase our resilience against this kind of threat.
  • Share our learnings openly so that other projects within the OpenJS Foundation and outside can benefit from them.

ref: https://github.com/nodejs/security-wg/issues/1282

UlisesGascon avatar Apr 13 '24 13:04 UlisesGascon

We currently have two experimental security features: the Permission Model and the Policy mechanism. Although the Permission Model is still in development, the Policy mechanism requires further research to determine its next steps. Therefore, I suggest that we focus on improving the Policy mechanism as one of our initiatives for 2024.

UPDATE: Flagging it as resolved as the feature will be removed

RafaelGSS avatar Apr 17 '24 15:04 RafaelGSS

Discuss the impact of our CI machines and attack vectors

RafaelGSS avatar Apr 24 '24 16:04 RafaelGSS

Code Integrity feature for Node.js.

@rdw-msft can you provide more details on this?

RafaelGSS avatar Apr 25 '24 14:04 RafaelGSS

Include a "Defense in Depths" policy to Node.js Threat Model.

@mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)

Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

RafaelGSS avatar Apr 25 '24 14:04 RafaelGSS

Collaborators Inactivity Policy Review https://github.com/nodejs/security-wg/issues/1282

RafaelGSS avatar Apr 25 '24 14:04 RafaelGSS

Code Integrity feature for Node.js.

Regarding this, there’s a WIP PR for import maps: https://github.com/nodejs/node/issues/49443. Import maps could be used as a place to store the subresource integrity hashes for modules: https://github.com/guybedford/import-maps-extensions#integrity. This would require some coordination with standards bodies such as WICG and WinterCG. cc @guybedford

GeoffreyBooth avatar Apr 29 '24 18:04 GeoffreyBooth

Permission Model adoption on Package Managers: https://github.com/nodejs/security-wg/issues/1300

RafaelGSS avatar Apr 29 '24 19:04 RafaelGSS

Include a "Defense in Depths" policy to Node.js Threat Model.

@mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)

Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

rdw-msft avatar May 01 '24 20:05 rdw-msft

Improve CII Best Practices and reach silver badge.

RafaelGSS avatar May 09 '24 14:05 RafaelGSS

Defining scopes of the Security team

RafaelGSS avatar May 09 '24 14:05 RafaelGSS

Selected Initiatives for 2024:

    1. Automate Security release process - Champion: @RafaelGSS / @marco-ippolito
    1. Node.js maintainers: Threat Model - Champion: @nodejs/security-wg
    1. Audit build process for dependencies - Champion: @mhdawson

Please note we have skipped item 3 (SBOM) as we don't have a volunteer for that. If you are interested in moving forward with this initiative, join us.

Refs: https://github.com/nodejs/security-wg/pull/1319

RafaelGSS avatar May 23 '24 14:05 RafaelGSS