As recently announced the npm client supports installing packages from locations that are outside of the official npm registry (such as at HTTP urls). Due to a design flaw introduced in late 2014 the authentication bearer tokens used to authenticate the npm client with the registry were being sent along with all requests, not just to the official registry.

So, if you or one of the modules you use specified a dependency like the below example, your authentication token would be leaked to that location. Note this is not your password but a token representing that credential.

Continue reading »

Wednesday afternoon we put a new version of the Node Security API in place to allow for some new and exciting features in the future.

This morning Dan Silivestru, CEO of BitHound, notified us that they saw a couple of advisories that were available publicly but were incomplete information wise.

We investigated and found a flaw in our API, specifically related to authorization that allowed access to non public advisories. This case was also not checked with our test suite, despite having 100% code coverage. It’s an embarrassing reminder that even with diligent development practices, code coverage and peer reviews, things get missed and vulnerabilities find their way in.

Continue reading »

One question we’ve been asked a lot since launching requireSafe: “How is this different from the Node Security Project?”

We’ve fought that confusion ourselves so today we’re announcing that requireSafe will be fully consolidated into the Node Security Project.

This change lets us focus on the one thing we want to do really well: make security a core value of the node community. We couldn’t be more excited about simplifying this effort by merging these projects.

Along with this change, we’re putting significant work into improving the tooling, education materials, and guidance that the community has relied upon for the last three years.

Continue reading »

requiresafe v2.3.0 was just published and includes a small pile of updates implemented by Nathan LaFreniere based on the feedback by pdehaan and naugtur.

Here is a summary of the updates.

  • added summary formatter similar to the nsp client
  • added vulnerable and patched version display to default formatter
  • cleaned up version numbers for unpatched modules in formatters
  • added –warn-only flag to check command
  • moved linting configuration to a central module, eslint-config-requiresafe
  • removed the scoped dependency for npm < 2.7 support
  • cleaned up the shrinkwrap file

And a bit more detail for some of the more exciting features.

Continue reading »

If you are using Travis Ci it should take you about 30 seconds to add requireSafe to start continually monitoring your apps for known security vulnerabilities.

If you haven’t used Travis before, be sure to check out the docs for how to get started and then dive in to adding requireSafe.

Let’s get started.

First add requiresafe as a dev dependency by typing
npm i requiresafe --save-dev

Next add a script to your package.json to allow npm to run requiresafe check. Ours looks something like this:

```
“scripts”: {
“test”: “lab -a code -t 100 -L”,

Continue reading »

Combining a continuous integration service like circleci and requireSafe gives you continuous security for your node.js projects.

If you haven’t used circleci before, be sure to check out the docs for how to get started before you dive in to integrate requireSafe.

Once you have circleci all setup, it’s quite easy to add in requireSafe checking so that you will know right away when a dependency with a known vulnerability ends up in your dependency tree.

First, add requiresafe as a dev dependency by typing

npm i requiresafe --save-dev

Next, add a script to your package.json to allow npm to run requiresafe check. Ours looks something like this:

Continue reading »

It’s been an exciting past couple of weeks. First we launched the new CLI, then we integrated with Code Climate, and now we are going to ship a couple more integrations and a new, much asked for enterprise feature: exceptions.

Grunt & Gulp

We know not everyone uses the same tools for their dev/CI process, so the CLI might not be enough for you. To help make requireSafe accessible to everyone we’ve released grunt-requiresafe and gulp-requiresafe.

Additionally with the release of these integrations we are now at feature parity with the Node Security Project tooling. If you are currently using the Node Security Project tools, specifically the grunt-nsp-package, grunt-nsp-shrinkwrap or gulp-nsp we highly suggest you migrate to these new requireSafe integrations.

Continue reading »

We are proud to announce an exciting partnership with Code Climate. Starting today requireSafe will be available as one of the many static analysis tools available on Code Climate’s platform.

requireSafe (available in beta) audits your Node.js modules using a seasoned auditing team and alerts you to vulnerabilities when Node Security Project advisories are created or updated. Of interest specifically is the use of the CLI tool to help identify known vulnerabilities in your own projects.

To make this available to as many developers as possible, we’re releasing requireSafe as an open source “Engine” for the Code Climate platform. This means requireSafe can be used in the cloud as part of Code Climate’s hosted analysis, or on your command line with their open source CLI. This is great news for anyone writing Node.js, regardless of the size or type of your project.

Continue reading »

Today we are extremely excited to announce the release of a brand new version of the requireSafe Command Line Interface (CLI).

On the surface it works like the old version, however you will notice a lot of extraneous functionality like logging in or registering has been removed, leaving only the core requiresafe check command in place.

Why did you remove all the goodies?

To be blunt we got a little ahead of ourselves with some features in the beta and decided to burn it down and go back to the basics to make it a better experience for our core use case. Those other features will return with a better experience and more functionality. Follow @requiresafe to find out when new features are released.

Continue reading »

All good things eventually come to an end. All poorly maintained but fun projects tend to as well. After 4 years I’m going to shut down xss.io. Its last day will be September 30th.

xss.io was built to serve my needs for extended penetration tests and as a proof of concept for a talk I gave at DEFCON 20 demonstrating the usefulness of such a technique. It met this goal.

I open sourced it a while back, you can find the code here.

Here are some stats from xss.io’s run:

  • 338 people logged in and used the tool
Continue reading »