Node.js Module: I Choose You!

•Descargar como PPTX, PDF•

0 recomendaciones•55 vistas

This document discusses security, licensing, maintenance, breaking changes and compatibility considerations for Node.js modules. It notes that while 84% of developers are confident in Node.js core security, only 16% are confident that third-party modules are vulnerability-free. It provides tips on using npm audit, GitHub security alerts, and locking dependencies to mitigate security risks. It also discusses understanding open source licenses, analyzing module quality and maintenance, how semantic versioning relates to breaking changes, and resources for long term support and compatibility of Node.js modules.

Tecnología

NODE.JS MODULE: I CHOOSE YOU!
@BethGriggs_
BethGriggs

NODE.JS MODULES ARE GREAT
Many are
Open Source
with code
available on
GitHub Promotes
code
sharing
and reuse
Over 800K
modules
available
on npm
registry

NODE.JS
TWITTER APP
• 14 Lines
• 1 Direct Dependency

ACTUALLY A LOT OF CODE IN
PRODUCTION
• 49 total packages
• 45,928 lines of code
• 6 different license types

MORE CODE IN PRODUCTION = MORE RISK
SECURITY LICENSES MAINTENANCE BREAKING CHANGES COMPATIBILITY

STATE OF NODE.JS SECURITY
84% are moderately to
very confident in the
security of Node.js core
16% are confident that
third-party packages they
use are vulnerability-free
https://nodesource.com/blog/the-state-of-node-js-security-in
STATE OF NODE.JS SECURITY
84%are moderately
to very confident in
the security of
Node.js core
16%are confident
that third-party
packages they use are
vulnerability-free
https://nodesource.com/blog/the-state-of-node-js-security-in-2017/
STATE OF NODE.JS SECURITY
84%are moderately
to very confident in
the security of
Node.js core
16%are confident
that third-party
packages they use are
vulnerability-free
https://nodesource.com/blog/the-state-of-node-js-security-in-2017/

SECURITY RISK MITIGATION
• npm@6 - `npm audit`
• GitHub security alerts
• Lock down your
`package.json`
• Publish a `package-lock.json`

CARE? 🤷
If you link with open source libraries and
then distribute the software, your
software needs to be COMPLIANT with
the licenses of the linked libraries

WHAT DO YOU MEAN DISTRIBUTE?
• Transferring software between
employees of the same company is not
normally a distribution
• Users interacting with an app over
network, it is not a distribution for most
open source licenses
• Network Protective licenses (AGPL,
etc.)
• Hosting the JavaScript files on a public
web server is a distribution

LICENSE TYPES
Copyleft or
Protective
Weakly
Protective
Public Domain or
Permissive

UNDERSTANDING
LEGAL SPEAK
• Software Licenses in Plain
English -
https://tldrlegal.com/
• Choose a license -
https://choosealicense.co
m
• GitHub Licenses

• Are you using a deprecated module?
• Are issues in the module being fixed?
• How active is the development?
• How many maintainers are there?

ANALYZERS
• GitHub Insights
• npm ”search by quality”
which is based on
https://npms.io/

SEMANTIC VERSIONING
1 . 7 . 3
Breaking Feature Fix

BREAKING CHANGES
• How strictly are they following
SemVer?
• How often will I have to update
major versions?
• Are security/bug fixes only
released on the latest major
release?

LONG TERM SUPPORT FOR NODE.JS
MODULES
https://github.com/CloudNativeJS/Module

SUMMARY
Security
Licenses
Maintenance
Breaking Changes
Compatibility

Más contenido relacionado

La actualidad más candente

30+ Nexus Integrations to Accelerate DevOps

Sonatype

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

DevSecCon

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Mohamed Nizzad

Henrique Dantas - API fuzzing using Swagger

DevSecCon

In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream. But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments. In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process. Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.

DevOps or DevSecOps

Michelangelo van Dam

DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx

DevSecCon

Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended. Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.

Build reliable Svelte applications using Cypress

Maurice De Beijer [MVP]

DevSecCon London 2017: Shift happens ... by Colin Domoney

DevSecCon

NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)

Hui (Henry) Chen

TDD and the Terminator: An Introduction to Test-Driven Development

VMware Tanzu

Justin Collins, Brakeman Security It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews. This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.

Static Analysis For Security and DevOps Happiness w/ Justin Collins

Sonatype

[OWASP Poland Day] Security knowledge framework

OWASP

DevSecOps - The big picture

DevSecOpsSg

Matt carroll - "Security patching system packages is fun" said no-one ever

DevSecCon

My tryst with sourcecode review

Anant Shrivastava

Adversary Driven Defense in the Real World

James Wickett

Code review and security audit in private cloud - Arief Karfianto

idsecconf

Ast in CI/CD by Ofer Maor

DevSecCon

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon

DevSecOps for you Full Stack

Ron Nixon

La actualidad más candente (20)

30+ Nexus Integrations to Accelerate DevOps

DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Henrique Dantas - API fuzzing using Swagger

DevOps or DevSecOps

DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx

Build reliable Svelte applications using Cypress

DevSecCon London 2017: Shift happens ... by Colin Domoney

NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)

TDD and the Terminator: An Introduction to Test-Driven Development

Static Analysis For Security and DevOps Happiness w/ Justin Collins

[OWASP Poland Day] Security knowledge framework

DevSecOps - The big picture

Matt carroll - "Security patching system packages is fun" said no-one ever

My tryst with sourcecode review

Adversary Driven Defense in the Real World

Code review and security audit in private cloud - Arief Karfianto

Ast in CI/CD by Ofer Maor

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecOps for you Full Stack

Similar a Node.js Module: I Choose You!

Introduction to License Compliance and My research (D. German)

dmgerman

Aleksei Dremin - Application Security Pipeline - phdays9

Alexey Dremin

Analysis of-quality-of-pkgs-in-packagist-univ-20171024

Clark Everetts

Open source and open standards have been two pillars of self-sovereign identity since the beginning. Only by breaking down barriers to both development and production can we ensure that SSI works for everyone, everywhere. Openness is also at the core of how Evernym operates, and our motivation for launching Sovrin, subsequently donating Hyperledger Indy to the world, and more recently, open-sourcing our own products. In this webinar, we covered: - The importance of open source software, and why it's needed for self-sovereign identity - The open source tools available today, from Hyperledger Indy and Aries to Evernym's Verity - What Evernym's open-sourcing of Verity means for developers - Getting started with either open source or our free Sandbox plan

Open Source & What It Means For Self-Sovereign Identity (SSI)

Evernym

This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to find the correct gear to get us down the road.

ShiftGearsWithInformationSecurity.pdf

Steven Carlson

This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.

Programming languages and techniques for today’s embedded andIoT world

Rogue Wave Software

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

Open Source vs Proprietary

M. Antoinette Jerom

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

Qualcomm Developer Network

Web App Security Presentation by Ryan Holland - 05-31-2017

TriNimbus

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype

Emerasoft, solutions to collaborate

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

Kubernetes and container security

Volodymyr Shynkar

Addressing Cloud Security with OPA

DiemShin

Presented at All Things Open 2023 Presented by Viral Chhasatia & Karan Marjara - Amazon Title: Open Source evaluation: A comprehensive guide on what you are using Abstract: What happens if an open source package your service relies on changes direction or shuts down? This talk provides a step-by-step approach that enables users to thoroughly assess open source software risks and rewards before making a final decision to use it in your product or service. Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen 2023 conference: https://2023.allthingsopen.org/

Open Source evaluation: A comprehensive guide on what you are using

All Things Open

This talk "What is the secure software supply chain and the current state of the PHP ecosystem" discusses the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...

sparkfabrik

Presented at All Things Open 2022 Presented by Andrew Zigler Title: Open Source All The Things Abstract: Open source software is increasingly becoming the number one choice for software developers worldwide because it's considered best in class for its improved security, extensibility and customization, and high-quality tooling. Wouldn’t it be great if your entire software development lifecycle could take place on open source software? The good news is that it absolutely can! Modern open source tools give your development team everything they need to be productive, from initial planning to production deployment. In this session, you’ll learn how to use 100% open source software to set up a complete development pipeline that includes source code management, CI/CD, service monitoring and notifications, team communications and collaboration, project and task management, and process automation. Attendees will come away with an arsenal of tools they can deploy for their team to become more efficient at the software development process. Target Audience: Anyone who works on a software development team and wants to find ways to make their team more productive and facilitate better collaboration. This session is ideal for developers and technical managers who want to use open source tools to reduce context switching and increase the focus time they have to write code.

Open Source All The Things

All Things Open

Application security meetup k8_s security with zero trust_29072021

lior mazor

Open Source Licenses

Ortus Solutions, Corp

Started In Security Now I'm Here

Christopher Grayson

Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.

Cyber security - It starts with the embedded system

Rogue Wave Software

Similar a Node.js Module: I Choose You! (20)

Introduction to License Compliance and My research (D. German)

Aleksei Dremin - Application Security Pipeline - phdays9

Analysis of-quality-of-pkgs-in-packagist-univ-20171024

Open Source & What It Means For Self-Sovereign Identity (SSI)

ShiftGearsWithInformationSecurity.pdf

Programming languages and techniques for today’s embedded andIoT world

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Open Source vs Proprietary

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

Web App Security Presentation by Ryan Holland - 05-31-2017

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype

Kubernetes and container security

Addressing Cloud Security with OPA

Open Source evaluation: A comprehensive guide on what you are using

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...

Open Source All The Things

Application security meetup k8_s security with zero trust_29072021

Open Source Licenses

Started In Security Now I'm Here

Cyber security - It starts with the embedded system

Último

ICT role in 21st century education and its challenges

rafiqahmad00786416

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Node.js Module: I Choose You!

1. NODE.JS MODULE: I CHOOSE YOU! @BethGriggs_ BethGriggs

2. NODE.JS MODULES ARE GREAT Many are Open Source with code available on GitHub Promotes code sharing and reuse Over 800K modules available on npm registry

3. NODE.JS TWITTER APP • 14 Lines • 1 Direct Dependency

4. ACTUALLY A LOT OF CODE IN PRODUCTION • 49 total packages • 45,928 lines of code • 6 different license types

5. MORE CODE IN PRODUCTION = MORE RISK SECURITY LICENSES MAINTENANCE BREAKING CHANGES COMPATIBILITY

6. SECURITY

7. STATE OF NODE.JS SECURITY 84% are moderately to very confident in the security of Node.js core 16% are confident that third-party packages they use are vulnerability-free https://nodesource.com/blog/the-state-of-node-js-security-in STATE OF NODE.JS SECURITY 84%are moderately to very confident in the security of Node.js core 16%are confident that third-party packages they use are vulnerability-free https://nodesource.com/blog/the-state-of-node-js-security-in-2017/ STATE OF NODE.JS SECURITY 84%are moderately to very confident in the security of Node.js core 16%are confident that third-party packages they use are vulnerability-free https://nodesource.com/blog/the-state-of-node-js-security-in-2017/

8. 2017

9. 2018

10. SECURITY RISK MITIGATION • npm@6 - `npm audit` • GitHub security alerts • Lock down your `package.json` • Publish a `package-lock.json`

11. LICENSES

12. CARE? 🤷 If you link with open source libraries and then distribute the software, your software needs to be COMPLIANT with the licenses of the linked libraries

13. WHAT DO YOU MEAN DISTRIBUTE? • Transferring software between employees of the same company is not normally a distribution • Users interacting with an app over network, it is not a distribution for most open source licenses • Network Protective licenses (AGPL, etc.) • Hosting the JavaScript files on a public web server is a distribution

14. LICENSE TYPES Copyleft or Protective Weakly Protective Public Domain or Permissive

15. UNDERSTANDING LEGAL SPEAK • Software Licenses in Plain English - https://tldrlegal.com/ • Choose a license - https://choosealicense.co m • GitHub Licenses

16. WHICH LICENSES AM I USING?

17. MAINTENANCE

18. • Are you using a deprecated module? • Are issues in the module being fixed? • How active is the development? • How many maintainers are there?

19. ANALYZERS • GitHub Insights • npm ”search by quality” which is based on https://npms.io/

20. BREAKING CHANGES

21. SEMANTIC VERSIONING 1 . 7 . 3 Breaking Feature Fix

22. BREAKING CHANGES • How strictly are they following SemVer? • How often will I have to update major versions? • Are security/bug fixes only released on the latest major release?

23. NODE.JS RELEASE

24. LONG TERM SUPPORT FOR NODE.JS MODULES https://github.com/CloudNativeJS/Module

25. COMPATIBILITY

26. https://modules.cloudnativejs.

27. SUMMARY Security Licenses Maintenance Breaking Changes Compatibility

28. NODE.JS MODULE: I CHOOSE YOU! @BethGriggs_ BethGriggs

Notas del editor

- Hi My names Beth- Past two years I've been working in the Node.js team in IBM Runtime Technologies - Our team originally focused on bringing Node.js to IBM Platforms- IBM SDK for Node.js- Our team has contributed and maintain those upstream in Node.js- So now we’re moving on to look at how we can encourage more of our Enterprise customers to leverage Node.js and its Ecosystem.- One the key areas of concern for our customers is their module dependencies.
- So first of all Node.js Modules are great- Powerful things about Node.js is the massive module ecosystem around it. - There are over 800k modules on NPM Registry, so there’s a high chance that one exists to help the work you want to do- This makes it quick and easy to get small prototypes going while promoting code sharing and reuse.
- As an example- Using 1 module and writing 14 lines of code I can setup and interact with TwitterClient- It is very terse, very quick to achieve something, which enables developers to concentrate on the business logic of their application rather than specific implementations details
- But that’s actually a lot of code in production- Look at the whole tree of deps- There’s a total of 49 packages- Almost 46K lines of code- Covered by 6 different license types- The amount of code you write is significantly differently from the amount that you deploy and are responsible for in production
It’s important to think about that code And this what concerns our enterprise customers. the more code you deploy into production, the more risk. These are the five “risk” area that pop up a lot, Security, Licenses, Maintenance, Breaking changes Compatibility
Looking at security
There was a survey of Node Developers covering the state of Node.js security from NodeSource and Sqreen last year . From those results, they 84% of Node.js developers are moderately to very confident in the security of Node.js core. Happy to pickup the Node.js runtime. They're confident security issues will be detected and resolved.But, only 16% of Node.js developers surveyed were confident that third-party packages they were using were vulnerability free And, Security issues in node module dependencies can escalatesEach year we a get a couple of notable security issues pop up
- In 2017, we had the cross-env issue, where an attacker published malicious code to the similarly named crossenv, so missing out the dash. - malicious code that would be executed on install. - Sent the users environment variables to a remote server, so any credentials you had stored in you environment could've be leaked. - So one typo while trying to install a module could leave you exposed- This type of attack is sometimes called typo-squatting. - It's not only cross-env that has been targeted. Reported and taken down pretty quickly
And then in 2018, I’m sure you remember the eslint issue . Targeting more of a devDependency. - Access was gained to a Eslint publishers account, and a malicious release was published to the NPM registry as a new release - Malicious code in this instance actually tried to expose information stored in the npmrc file. And this is where you'd store your npm registry token. - Intention viral attack, with that one token, they were able to pickup other tokens to enable to do the same .Solution was to revoke all NPM tokens created after a certain date
`npm audit` GitHub security alertsLock your versions down in your package.json Wildcards?? Specifically ,it wouldn’t have auto downloaded the new release eslint issue
Licenses
Why should you care about licenses? if you link with OS libraries and then distribute the software, your software need to be compliant with the licenses of the linked libraries. And that’s not only the License of the direct dependency, it includes the license of the whole dependency tree
- So sometimes it is unclear what is meant by the term distributing - Transferring software between the same company is not normally a distribution- Users interacting with an app over a network is not a distribution for most licenses. There are Network Protective licenses like AGPL
License types can be loosely grouped into three areas Protective, If you use one of these, your software has to be bound by the same conditions as the linked softwareWeakly protective, less restriction for dynamic linking Public Domain and permissive licenses, like MIT that allow you to do anything except sue the author Public Domain or Permissive licenses, which allow you to do everything except sue the author
Sometimes it can be hard to understand this legal terminonloghelp select an appropriate license for your own software/module
- To understand which licenses you’re using in the whole tree- you can use a module called license checker - This will out put all the licenses it can detect in the tree - You can also pass it some options to exclude known good options
Looking at maintenance If most of your code is coming from your dependencies, you need to be aware of how maintained the mass of code you're building on top of is
Hit by a bus scenario
GitHub Insights- deprecated, issues fixed, active, new features- how many maintainers are there, - NPM search by quality, which is utilizes npms, which was a project created by developers who were hitting the same issue of not knowing which modules to choose.- Npms collates some of the metrics like “number of commits, ratio of issues closed” to determine stability/maintenance/
- Another concern for our customers is breaking changes. - Some projects still have relatively long release cycles, choosing a module that makes breaking changes _too_ often will be an issue. - They need to have time to migrate to the next version
This is a versioning scheme BreakingFeatureFix
So when looking for a module, you should see if the module is adopting or adhering to Semantic versioning. Bear in mind it is up to the module owners interpretation of what is a patch/breaking change. Another concern would be how often you have to update major versions Will I have to choose between a breaking change and a security fix? Talk about Node.js
With Node.js, they have a defineda Long Term support policy
LTS Node.js
- local dev environment is not the same as their target deployment environment. - So it'd be a pain to get some code all up and running locally, only to find out one of your dependencies does not work in your target production enivronement.
5 major areas of concern when choosing a node module - Security – CI tools etc to watch for vulnerabilities, pattern scanners Licenses - Licenses checker – BE AWAREVet the whole treeMaintenance - Critical app Breaking changes - LTS policiesCompatibility - Check it runs on target runtime
ThanksIf you want to win a drone, head to the IBM booth at 3:45

Node.js Module: I Choose You!

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Node.js Module: I Choose You!

Similar a Node.js Module: I Choose You! (20)

Último

Último (20)

Node.js Module: I Choose You!

Notas del editor