Real Life Security Threats and How to Avoid Them

JavaScript security tips and real life events
you should get to know

Here is the link to the live stream-
https://youtu.be/iZAaIxRFxyg

~~~~~~~~~~
PLEASE UPDATE YOUR RSVP IF YOU CAN'T COME!!
~~~~~~~~~~

SCHEDULE

20:00- A few words from Tamar (the event host)
and Trax (our sponsors)

~
20:10 - 20:40-
Use SES to Reduce Supply Chain Risk -
Mark S. Miller (English)

~
20:40 - 20:50-
How One Tiny Mistake in My JavaScript Cloud Function Cost Me $8K -
Idan Cohen (English)

~
20:50 - 21:20-
Stranger Danger: Finding Security Vulnerabilities Before They Find You! -
Liran Tal (English)

~
21:20 - Free Licenses Raffle!
6 Webstorm, 1 Wallaby.js, 1 Quokka.js
and 2 free coupons for The XtremeJS Online Conference

~~~~~~~~~~~~~~~~

Use SES to Reduce Supply Chain Risk (Mark S. Miller)

Use SES (Secure EcmaScript) to run third-party JavaScript code safely inside featherweight compartments.
SES is a TC39 proposal, a shim used in production, a standalone implementation for embedded systems as specified by TC53, and a language for writing blockchain-based smart contracts.
SES enforces that subsequent code stays within object-capability security rules. Reduce supply chain risk by giving each package the least authority it needs to do its legitimate job.
Experience at Google, Salesforce, Agoric, MetaMask, Cosmos, Moddable, and Node confirm that much existing JavaScript code, not written to run under SES, nevertheless runs compatibly under SES within these security constraints.

~~

Mark S. Miller, a pioneer of agoric (market-based secure distributed) computing and smart contracts, designer of E and Dr. SES distributed persistent object-capability programming languages, inventor of Miller Columns, architect of the Xanadu hypertext publishing system, representative to the EcmaScript committee, former Google research scientist, and senior fellow of the Foresight Institute.

~~~~~~~~~~~~~~~~

How One Tiny Mistake in My JavaScript Cloud Function Cost Me $8K
(Idan Cohen)

GCP is an amazingly powerful platform. Alongside Firebase, it's also fantastically easy to use. Unfortunately, it's also easy to mess up. And thanks to GCP unbelievable scaling capabilities - a tiny mistake can quickly become HUGE. How huge? Join me at this talk as I trace the steps that led to this tragedy, and share some tips on how you can avoid it.

~~

Idan Cohen, FE Lead at UVeye. Huge Angular fan and an even bigger Firebase groupie. Love doing magic with code.

~~~~~~~~~~~~~

Stranger Danger: Finding Security Vulnerabilities Before They Find You! (Liran Tal)

Open-source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce critical vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.

~~

Liran Tal, an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group, an OWASP project lead, and author of Essential Node.js Security, and O'Reilly's Serverless Security. At Snyk, he is leading the developer advocacy team and in a mission to empower developers with better dev-first security.

OUR SPONSORS

Big thanks to Trax!
With their help, we can continue making these meetups,
even in their virtual form :)

And thanks Wallaby and JetBrains for their free licenses.

See ya soon :)