The Node.js Highway: Attacks are at Full Throttle

Presented at Black Hat USA 2015, Aug. 5, 2015, 5:30 p.m. (30 minutes)

The popularity of the Node.js coding language is soaring. Just five years after its debut, the language's framework now boasts more 2 million downloads a month. It's easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language.

But before accelerating too quickly, it is important to understand the power and corresponding mishaps of this language. This talk is not intended to put the brakes on Node.js. On the contrary, this talk aims to raise awareness to its security issues during application development.

As such, our talk ends with effective security measures that enterprises can adopt in order to drive their business forward and securely.

Presenters:

• Amit Ashbel - Checkmarx
  Amit Ashbel joined Checkmarx From Trusteer (acquired by IBM). He has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities over the years, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats and the hi-tech security industry.
• Maty Siman - Checkmarx
  Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister's Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF's Information Security Center. Maty regularly speaks at IT security conferences and is CISSP certified since 2003.

Links:

• https://www.blackhat.com/us-15/briefings.html#the-nodejs-highway-attacks-are-at-full-throttle
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - The Node js Highway Attacks Are At Full Throttle.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - The Node js Highway Attacks Are At Full Throttle.mp4
• https://www.youtube.com/watch?v=MRlvmHxrYmY
• https://www.blackhat.com/docs/us-15/materials/us-15-Siman-The-Node-Js-Highway-Attacks-Are-At-Full-Throttle.pdf

Similar Presentations:

• Black Hat USA 2020 Virtual / Discovering Hidden Properties to Attack the Node.js Ecosystem
• DEF CON 28 (2020) Virtual / Discovering Hidden Properties to Attack Node.js ecosystem
• BSides Austin 2016 / The Node.js Highway: Attacks Are At Full Throttle