公式動画ピックアップ
AAPL
ADBE
ADSK
AIG
AMGN
AMZN
BABA
BAC
BL
BOX
C
CHGG
CLDR
COKE
COUP
CRM
CROX
DDOG
DELL
DIS
DOCU
DOMO
ESTC
F
FIVN
GILD
GRUB
GS
GSK
H
HD
HON
HPE
HSBC
IBM
INST
INTC
INTU
IRBT
JCOM
JNJ
JPM
LLY
LMT
M
MA
MCD
MDB
MGM
MMM
MSFT
MSI
NCR
NEM
NEWR
NFLX
NKE
NOW
NTNX
NVDA
NYT
OKTA
ORCL
PD
PG
PLAN
PS
RHT
RNG
SAP
SBUX
SHOP
SMAR
SPLK
SQ
TDOC
TEAM
TSLA
TWOU
TWTR
TXN
UA
UAL
UL
UTX
V
VEEV
VZ
WDAY
WFC
WK
WMT
WORK
YELP
ZEN
ZM
ZS
ZUO
公式動画&関連する動画 [The Node.js Security Ecosystem]
Chaptering and links to content
00:00 - Cloud Security Lounge
04:15 - Introduction - what is node.js and what we'll be doing today
06:26 - Level setting by Michael - why is this important?
07:15 - Are we talking about JS in a headless browser?
08:15 - Frontend to backend - is node.js the continuum ?
09:40 - The difference in mindset between frontend and backend - security-wise
12:24 - Node.js has had security as a core value since the beginning
13:30 - Node.js publishes its threat model as a triage step for security vulnerability reports
14:05 - There's no easy way to triage and consume security vulnerability reports
16:30 - The trust boundaries of node.js
17:33 - Best practices document supplements the threat model by suggesting mitigations for common vulnerable patterns
18:25 - OSSF Criticality Score and Scorecard
21:15 - Vulnerabilities that are NOT 3rd party - what's the fix process?
24:30 - The personas behind the fixing process - Fixers and Releasers
24:58 - Bug Bounty!
25:58 - Security Stewards
28:00 - Things that didn't work in the process of fixing issues and creating releases
32:00 - How to join the effort and help out
34:50 - You don't need to be a Node expert to help
35:00 - Third Party Risk and Supply Chain Security
39:45 - How Node looks at the future of supply chain issues
45:00 - Guarddog Demo
49:00 - Adding tooling to your CI/CD to elevate assurance
52:40 - Upcoming - the permission model of node.js - one more layer of control
57:16 - In closing and Call To Action
- Node.js security guidelines and threat model: https://github.com/nodejs/node/blob/main/SECURITY.md
- Node.js security best practices: https://nodejs.org/en/docs/guides/security
- Datadog Guarddog: GitHub - DataDog/guarddog: https://github.com/DataDog/guarddog
- The Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks by Marc Ohm, Henrik Plate, Arnold Sykosh and Michael Meier in the proceedings of the International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2020
669
10