6

Our development team has been considering using Node.js for a new enterprise application that requires high-level security. The users include federal police, so there's a high chance that we'll eventually be audited for security.

  • Given that Node.js is relatively new, does it still have security issues that need to be addressed?
  • Does anyone have any development experience with Node.js and any insight into potential attacks using its structure?

I appreciate the help.

Edit: some users on StackOverflow have suggested using a reverse proxy, but I'm curious if anyone has more suggestions.

crockpotveggies
  • 336
  • 2
  • 11

3 Answers3

5

Although I can't point to any specific reported defects, I'd be nervous about the node.js architecture - where your code runs as part of the webserver code. While with something like mod_php, there is still only a single process handling both the HTTP and logic tiers, there is a clear functional separation between the 2, and the interface between the webserver and the logic tier has been expressly designed and tested to accomodate failures - particulary in the logic tier.

Also, there are a lot of tools available for webservers (Apache in particular) which facilitate management and (used properly) enhance security.

Another major consideration is availability of skills/support/training - regardless of its quality / utility, node.js has a lot of catching up to do compared with other web development platforms.

Our development team has been considering using Node.js

That you are specifically trying to deliver what should be a very secure application on a platform which (judging from your statement above) you are not thoroughly familiar with seems to be very reckless. Most security vulnerabilities in web applications arise not because of faults in the development environment but in faults in the bespoke code added on top.

Certainly using a reverse proxy would facilitate getting standard HTTP logging, anomoly detection and reduce impact of protocol level attacks.

One of the best tools for building secure web applications is mod_security - AFAIK, this is only available to run within Apache - but it would offer the possibility (along with mod_proxy) of deploying a front-end system providing the usual webserver functionality (logging, static content) along with, say, authentication services, and using node.js as a backend.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • This is very helpful and I appreciate the insight. I agree it is reckless; however, we anticipate many analytic and unique concurrent operations so I didn't want to immediately disregard the option. – crockpotveggies Jun 29 '11 at 22:28
  • Maybe I didnt understand what symcbean means here but NodeJS runs on the server just as PHP does, I just wanted to point out that none of the server logic needs to run on the client web browser. Maybe this confusion comes from the V8 part in NodeJS but I have developed a few apps and none expose logic code to the web browser – Purefan Mar 04 '13 at 14:38
  • 1
    No NodeJS *is* a server. It does not run in the same way as PHP does. – symcbean Mar 04 '13 at 15:30
3

It mostly helps with concurrency if that concurrency is IO bound as you probably know.

An option that is a lot faster than NodeJS is to use mono + F# and its async support. Then you can use a HttpListener to get as close to the socket as with NodeJS.

Oblivious to the choices above; SELinux and chroot are probably good tools for the rest.

Most security vulns in code in my experience, that result in executing arbitrary code are from either bad write permissions to database/disk allowing you to request files that you've uploaded, or from unmanaged code that does bad memory management/bounds checking.

A reverse proxy is also a good option, because they are battle hardened. HAProxy e.g. - it can handle both WebSockets and normal HTTP in its latest versions.

Then you can use some tooling to actually test the implementation. Google uses a tool call skipfish: https://code.google.com/p/skipfish/

You can use a fuzzer on the protocol level as well as app level, but that's of less and less importance the more your compiler proves for you, like with JS where you can't change the type of an object instance or F# where you have more static checking with e.g. discriminated unions and units of measure.

Finally, if you are after really high code security, I would recommend Stact Framework with Haskell which you can make very security using the compiler. With Haskell you can even write small proofs with Coq, a proof assistant, or Agda (see Haskell Theorem Provers)

In order to communicate with your servers, you're probably going to have a DNS. You'll need to secure that as well, with DNSSec, or you can get DNS Poisoning.

If they gain access to the LAN, you can get ARP Poisioned, meaning someone can steal your IPs; but you can make the DNS server to static maintenance of whoever is on the network in an IP-to-MAC lookup table that all hosts also check.

Finally, you can add an IDS like Snort to your network and record a "normal" execution of your program, so that you can also be reactive to anomalies.

Henrik
  • 386
  • 2
  • 4
  • 13
  • Wow +1 for assessing the entire stack and options. Although I never ended up using Node.js this is still a great resource for future projects! Never heard of skipfish, thanks for expanding my horizon :) – crockpotveggies Jul 24 '12 at 22:00
1

Ideally, the entire application should be restricted either by an intranet or a VPN, or at the very least IP address of the client, especially if it is going to be used by any sort of Federal officer. If the attacker can't even hit the web server, then they certainly won't be able to exploit Node.js, right?

BenGC
  • 1,775
  • 15
  • 26
  • 1
    Correct, the production service will be deployed via an intranet and VPN for remote or field apps. However, if a laptop or tablet were to be stolen from a vehicle my concern is that the system can be compromised anyways. Ideas? – crockpotveggies Jun 29 '11 at 00:56
  • Hmm... I would just say to take the usual precautions: full disk encryption, securid for the vpn, etc. If you're really scared you can use Group Policy to disable caching by IE on the client... – BenGC Jun 29 '11 at 01:39