entd 261 discussion response

Hello,

I need two responses of at least 150 words each for the below students discussions for this week. Also in the bold below are the questions the students at answering.

Instructions:

Discuss how to secure Node.js applications.

Student one:

JavaScript has been around since 1995, and originally was mainly used to to execute scripts within web browsers. This limited developers in a sense because they had to use different languages when working client side, and server side applications. In 2009 Node.js was created which allows JavaScript to run within a computers process itself. This means that Node can be used to write server applications that can access operating systems, file systems, and other needs to build fully functioning applications. With the development of Node.js developers have had to learn how to secure their applications. There are multiple ways to secure Node.js applications, and the website https://medium.com provides a great list of some of those way.

Number one on medium.com’s list is to embrace linter security rules. They suggest that using a security plugin will help to catch security issues, and vulnerabilities in the early stages of coding. Another way to help with security concerns is to limit concurrent requests using a middleware. Doing this will help applications from being overwhelmed by too many requests at once. Number four on the list is the idea that developers should prevent query injection vulnerabilities with ORM/ODM libraries. These types of libraries are good at preventing SQL/NoSQL injections, and other malicious attacks. One more of the multiple security ideas for Node.js is to avoid DOS attacks by explicitly setting when a process should crash. When errors are not handled a Node process will crash. However a common best practice is to recommend an exit even if an error was handled. These are just a few of the many ways that Node.js can be secured.

References:

Goldberg, Martin, & Scheufler. We’re under attack! 23+ Node.js security best practices. 25 July 2018. https://medium.com/@nodepractices/were-under-attac…

Patel, Priyesh. What Exactly is Node.js? 18 April 2018. https://www.freecodecamp.org/news/what-exactly-is-…

-Rory

Student two:

Good day class, this week we are talking about Node.js and how to secure it. This is a large and broad topic that can cover many areas and facets of coding. One of the key things to remember and keep in mind when talking about node.js is that it is a java script application that primarily runs on a server side and handles data. This means that it deals directly with the data on the server, which poses a great risk as if malicious code was introduced into it, this code would then have access to the actual data on the server.

Hackers are and those with malicious intent will look for the easy target with the biggest payoff. In terms of security, node.js is a prime target. One of the main jobs of node.js is to get and manipulate data on a server. This could be calling files, open web pages, pulling in content from third party sources, ect. For this reason, and its increasing popularity, node.js is vulnerable. A recent review by Snyk, showed that 83% of users found at least one vulnerability in their node.js code (7 tools to secure node.js applications from online threats, 2019).

There are a few ways of secure your applications that are created. Some of these include using known third party apps that your calls will pass through before passing onto the server that contains the data. I realize the irony of saying that malicious injections of sql code into your application or malicious third party program calls are a threat but using a third party can also secure your app.

There are a number of methods that a hacker could use to inject bad code or to view the source code of your application or to attempt to inject bad or malicious returns form valid scripts. These can include the ability to execute code modifications or intercepting of the sql requests or calls for data from the server.

Another vulnerability comes from that of the fact that many developers and people operate on the honor code and believe that most people do not have ill intent. They believe that if they make calls from third party apps or locations that the data requested or traffic is secure and safe. this is not always the case and one should be cautious before doing so form untrusted or unvetted sources. this also opens one up to the vulnerabilities of any third party source that is called.

Interesting read this week while researching and reading on this topic.

References:

7 Tools to Secure Node.JS Application from Online Threats. (2019, March 11). Retrieved from https://geekflare.com/how-to-secure-nodejs/

-Steven