Avoiding CSRF with Remix 

Lee Rowlands

Securing Node.js APIs with Decentralised Identity Tokens

Mohammad Shahbaz Alam

Automated Application Security Testing 

How to Make GraphQL Security Easier with StackHawk

Automated Security Testing for JS Apps & Underlying APIs

Scott Gerlach

How React Applications Get Hacked in the Real-World

Security Controls in the JavaScript Supply Chain

Let Me Show You How React Applications Get Hacked in the Real-World

You thought your React application is secure? Think again

Liran Tal

The Security Toolbox For Node

Milecia McGregor

Securing Your Software Supply Chain

Darcy Clarke

You're 5 Minutes Away from Code Quality & Code Security

G. Ann Campbell

How Developers Can Use Automated App Security Testing To Protect Vue Apps

Nick Teets

JS Security Testing Automation for Developers on Every Build

Oliver Moradov

Bar Hofesh

Bring Code Quality and Security to your CI/CD pipeline

Elena Vilchik

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Feross Aboukhadijeh

Passwordless Auth to Servers: hands on with ASA

E. Dunham

Zod === Typescript, but at Runtime in Your React Applications

Luca Del Puppo

New Way of Envisioning Security in the Dependencies

Vandana Verma Sehgal

Finding Stealthy Bots in Javascript Hide and Seek

Adam Abramov

Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk

Matthew Salmon

5 Ways You Could Have Hacked Node.js

Rafael Gonzaga

Supply Chain Security Experience

Bradley Farias

The tale of avoiding a time-based DDOS attack in Node.js

Paolo Insogna

I Run Code From the Internet!

Eval all the strings! - Hardened JavaScript

Zbyszek Tenerowicz

How to Improve Your Web Application's Security Using Mozilla Observatory

Karan Kiri

The State of Passwordless Auth on the Web

Phil Nash

0 to Auth in an hour with ReactJS

Kevin Gao

Secrets in Source Code - How Your JS Code is Exposing Your Credentials 

Mackenzie Jackson

Content Security Policy with Next.js: Leveling Up your Website's Security

Shield Your Next.js App With a Content Security Policy

Lucas Estevão

Escape Security Flaws

Henrik Fricke

JS Nation

JSNation 2023

Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand? In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.

Node Congress

Node Congress 2022

Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat. You can check the slides for Feross' talk <a href="https://speakerdeck.com/feross/its-a-jungle-out-there-whats-really-going-on-inside-your-node-modules-folder">here</a>. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

React Day Berlin

React Day Berlin 2023

In today's digital landscape, web application security is of paramount importance to protect sensitive user data and maintain user trust. The Mozilla Observatory is a powerful tool that can help developers assess the security posture of their web applications. In this talk we'll learn how to improve the security of web applications using the Mozilla Observatory.

An elevator pitch for security - yay! I know, security is often frustrating or even annoying. But we all work in tech and at some point, security always becomes a topic. Let's discover a real-world security flaw and what we can learn from it to prevent such incidents. It's gonna be fun, I promise.

React Summit US

React Summit US 2023

In this talk, we'll explore the powerful security feature of Content Security Policy (CSP) and how it can be implemented in Next.js to bolster your website's defenses against common web attacks like Cross-Site Scripting (XSS) and data injection. We'll cover the basics of CSP, its benefits, and best practices for implementing it in Next.js.  Additionally, we'll share some tools to evaluate and test your policy. By the end of this talk, you'll have a solid understanding of how to level up your website's security with CSP and protect your users from the ever-present threats of the modern web.

React Advanced

React Advanced Conference 2023

Learn why you should care about Content Security Policy (CSP) and how to implement it in a Next.JS application to level up your security layer. Understand CSP basics, directives, and their role in thwarting web attacks. Moving on to Next.js, the session will delve into implementation details, covering the "nounce" hashes for inline scripts using middlewares and common strategy pitfalls. By the end of the session, participants will be equipped with the knowledge and skills to implement and evaluate a robust CSP policy in Next.js, leveraging its latest features from version 13, effectively safeguarding their web applications against online attacks.

Is it wise to run code from strangers? Well, we do it all the time and there's no backing out of it. Let's take a look at how a JavaScript project could get hacked and then defend itself from supply chain attacks.  Limit access to globals for each package? Sure. Control if a package can access network or file system? Yup, that too. And no more install scripts or prototype pollution.

React Summit

React Summit 2023

Secrets like API keys are constantly leaking through source code. The 2021 State of Secret Sprawl report found over 6 million secrets in public git repos. This presentation reviews the new, unreleased, 2022 State of Secrets Sprawl report focusing on how JavaScript source code specifically leak secrets.

In this talk, I want to show how we can use Zod to guarantee the type in a React Application at runtime. Environment variables, HTTP requests, forms and so on could create troubles in our applications, mainly if they contain unexpected types. Using Zod, we can create schemas to guarantee the types expected in our editor at runtime. In this way, we can react quickly when an environment variable misses or when someone changes the API contract without informing us. A small validation layer in our applications can prevent a bad user experience and notify us immediately, so we can fix the problem as soon as possible and mitigate the visualization of wrong data.

All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about. Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.

Node Congress 2023

The software supply chain is under constant attack and threat actors are finding new ways to exploit and profit off the cracks in its foundations. Of course, the JavaScript ecosystem is at the heart of this problem as it has grown accustomed to relying on small, interdependent modules made available through the largest software registry in the world (npm). Learn more about the current and future state of the ecosystem as well as dive into new tooling and resources you'll need to protect yourself and your projects this year and beyond.

Developers are flooded with tools and worries provided by security vendors. From researchers finding theoretical attacks, to time spent dealing with package updates, to simple accidents causing downtime all of these exist. Taking some history into account to understand the basic categories of attacks and how practical they are to exploit or even how common they are will give some assurance and guidance on where a developer can focus their limited energy and get the most out of their efforts.

This talk is about SecureEcmaScript and Compartments which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals. This is a first-hand account of the future of JavaScript security. SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis. I want to show how they work, what possibilities they open and how to make that future happen today with some effort. To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.

Web applications are commonly vulnerable to several Distributed Denial of Service attacks, sometimes in unexpected ways. An example is the SlowLoris attack, an exploit that leads to service interruption by simply sending the data to the server as slowest as possible.  In this talk I will tell the tale of how it took almost 13 years for Node to be completely protected by SlowLoris attack. I will also show that sometimes prioritizing performance can lead to incorrect fixes that can result in a false sense of protection.

React Summit 2022

The vulnerabilities in open source ecosystem are increasing like wild fire. It is important to address those. I will be speaking about issues and how to fix them with demo. I will pick up examples from React ecosystem as well.

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

JSNation 2022

JavaScript has a lot of use cases - one of them is automated browser detection. This is a technical talk overviewing the state of the art automated browser for ad fraud, how it cheats many bot detection solutions, and the unique methods that have been used to identify it anyway.

React has a great security standard as default, but if you don’t pay close attention to the details you could get burned by some of the escape hatches APIs, or even by just passing props insecurely to components. I’ll teach you how to avoid these pitfalls.

The omnipresence of open-source software and low-barrier of entry on npmjs are serving as a catalyst for supply chain security incidents that are continuously impacting JavaScript developers. What can we do to protect ourselves?

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

Remix 'Data Writes' go back to the basics of the web when it comes to form submissions. But therein lies a trap if you're not careful - Cross site request forgery (CSRF) can rear its head. In this session we'll explore what CSRF is. How it can be exploited and what you can do to make sure your Remix application isn't vulnerable.

GraphQL Galaxy

GraphQL Galaxy 2021

With StackHawk, engineering teams can run security tests against GraphQL APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder and Chief Security Officer Scott Gerlach for a quick overview of GraphQL security testing with StackHawk. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

React Advanced Conference 2021

Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Vue.js Live Conference

Vue.js London Live 2021

Frontend frameworks like Vue are vulnerable to unsanitized inputs to execute malicious code. The patterns that allow for this are generally understood, but there are still some cases when your apps might still be at risk. Learn how you can implement automated application security to keep your apps safe. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

React Finland

React Finland 2021

DevOps.js

DevOps.js Conf 2021

In this session I'll use a live demo to show how effortless it is to add Code Quality and Code Security to your project with SonarCloud - not just for now but for every commit going forward. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Node Congress 2021

Do you have a way to quickly check all of your repos for any vulnerabilities to various attacks? Do you know which attacks you should be preparing your applications for? In this talk, we will cover the top 10 attacks on Node applications and how to handle all of them. Multiple tools will be covered, all of which have been used in production across different back-end architectures.A few of the areas that will be covered include securing dependencies, securing data, and securing your server. By the end of this talk, attendees should have a full security toolbox and they will know how to implement it quickly. This will help with production applications because you will still get through your sprints on time and you will be able to rest knowing you have security measures in place. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

JSNation Live

JSNation Live 2021

Authentication and Authorization are serious problems. We often dedicate a lot of time to craft powerful APIs but overlook proper security measures. Let's solve it with Magic using a key-based identity solution built on top of DID standard, where users’ identities are self-sovereign leveraging blockchain public-private key pairs. In this talk, we’ll look at proper ways to secure our Node.js APIs with Decentralised Identity Tokens. We’ll go from learning what Decentralised Identity standards are, how the users’ identities are self-sovereign leveraging blockchain public-private key pairs, why they’re the future of API security, and to put theory into practice we will build a real-world implementation using Node.js where I’ll show common best practices. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities fasters. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps. While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.

npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.

DevOps.js Conf 2022

In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized. - we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

TestJS Summit

TestJS Summit 2021

As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to... NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down. Join this workshop to learn different ways developers can access Nexploit &amp; start scanning without leaving the terminal! We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results. Table of contents: - What developer-first DAST (Dynamic Application Security Testing) actually is and how it works - See where and how a modern, accurate dev-first DAST fits in the CI/CD - Integrate NeuraLegion's Nexploit scanner with GitHub Actions - Understand how modern applications, APIs and authentication mechanisms can be tested - Fork a repo, set up a pipeline, run security tests and look at the results <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

#security