Node.js Security and Performance Training in London

In September, the ^lift security team hosted in partnership with YLD, the first Security and Performance Advanced class for Node.js developers, in the beautiful city of London, UK.

Our primary goal for this experience has been to enable software engineers and experienced developers to understand how to deploy large scale applications, focusing on solid security practices and analyzing performance bottlenecks.

As more and more enterprises migrate to node, the community is seeing a greater need for a solid security and performance strategy. We at ^lift came together with YLD to help advanced developers understand the unique requirements of enterprise node applications.

Pedro provided a well thought out analysis of what we often do, as well as a great process for actually looking at what is happening in our node apps. The tools and methods were well thought out, and provided a clear view of actual performance bottlenecks. We were able to take an app that was performing slowly and improve its metrics over a hundredfold!

After lunch, Matt walked through many of the security concerns with node applications, and how they can get compromised. The concepts were well explained, and clear, specific solutions were provided. It was nice to have the practice apps that could be compromised, enabling the class members to exploit the vulnerabilities and compromise the application. However, just breaking an app isn't enough, then it had to be fixed!

We at ^lift, have invested strongly in Node.js for the development of internal tools and products, which eventually resulted in the creation of the Node Security Project, the central hub for communication of the latest node modules vulnerabilities and respective patches, and tools like nsp, which help your team ensure they don't use known vulnerable modules.

What was taught?

The training was fully hands on, one full day, covering the following aspects:

  • Security related:

    • Approaches for building securely with both Hapi and Express
    • Authentication, Authorization and Session Management
    • Handling Sensitive Data
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF)
    • SQL Injection / Command Injection
    • Directory Traversal
    • Mass Assignment
    • Security Headers
    • Security Misconfiguration
    • Using the Node Security Project to identify known vulnerabilities
  • Performance related:

    • Defining and measuring the performance of a Node app
    • Techniques for monitoring
    • Understanding the Event Loop
    • Measuring Event Loop Lag
    • Understanding what the CPU is doing using Dtrace and V8 profiling
    • How Garbage Collection works and impact on performance
    • How to use tools like Heap-dump and MDB to analyze V8 memory
    • Fixing I/O-bound processes
    • Fixing CPU-bound processes
    • Fixing memory-bound processes
    • Techniques to improve performance of hot code paths

We've chosen London to make this event happen due to its vibrant Node.js community and the amount of large companies and startups adopting Node.js into their ecosystem.

A special thanks

Last but not the least, we want to give a shout to our friends at YLD whom we joined forces to make this training event happen.

Thanks to Ladies Who Code, we're able to create a more diverse and inclusive event with the Node Security Scholarship.

Also a big thank you to Oli Evans and Alan Shaw, for the warm welcome the ^Lift team got when we arrived in London and for all the energy spent making sure we were able to communicate directly with the Node.js community meetup.

Couldn't make it to the training?

After the success of the first edition, we are considering hosting more sessions, let us know if you are interested or if you would like to bring the training to your team by emailing us at training@liftsecurity.io.

We also have an online video course that covers some of the same security topics.

You might also enjoy reading: