ExpressJS is not an exception that powers 2.31% of the top 1 million websites which runs on top of NodeJS and provides excellent features to develop web-based applications. So, let’s jumpstart with a few basics, and this particular series will cover a lot more aspects of securing, maintaining and deploying production-grade expressjs server.
Maintaining and security third party dependencies
Developers love to use libraries for abstraction and better code management. Npm provides excellent support for packaging and distributing libraries as modules for developers. One of the most common software security and vulnerability incidents revolve around the outdated third party dependencies or vulnerabilities within the library.
As codebase tends to grow when features grow, the developers tend to keep the same dependencies that don’t break the build or existing features. But this comes with the cost of hidden security vulnerabilities in the code. The famous Equifax breach with several million stolen credit information is due to by a vulnerability in the Java Framework, which has an outdated dependency. With the patch available for more than three months, Equifax failed to apply and secure the webserver.
- Developers should often update the libraries and adopted framework.
- Subscribe for security newsletter or updates from the developer of the library.
There are a lot of tools available in the market to help developers to keep informed about the vulnerabilities. Snyk.io provides exceptional support to scan vulnerabilities and outdated libraries from the command line in no time for busy developers who run behind the deadlines. Integrate snyk with your CI/CD pipeline will help in assisting the fix for vulnerable libraries before deploying to production.
- Be aware of libraries, modules within the application
- Check for transitive dependencies
- Use tools like snyk.io to detect, fix vulnerable libraries in the development environment
- Subscribe to the mailing list, updates newsletter for receiving updates on security issues or notice from developers.
For bugs/hugs, contact via Twitter.