Node.js Foundation Adds Security Project

The Node.js Foundation is set to oversee the Node.js Security Project in an effort to consolidate and improve security for the popular open-source application programming framework.

In a move that aims to help improve security vulnerability disclosure, the Node.js Security Project announced on November 30 that it is now officially becoming part of the Node.js Foundation. The move will help to improve the security of the open-source Node.js development framework and its modules, which are widely used in modern applications.

The Node.js Foundation is a multi-stakeholder effort that was first launched by the Linux Foundation in June 2015 in an effort to help stabilize the Node.js community. The Node.js Foundation currently estimates that there are more than one billion Node.js package downloads per week.

The Node.js Security Project was originally started in April 2013 by Adam Baldwin, team lead at Lift Security and is an effort to collect information about vulnerabilities and security issues in the Node.js platform and its modules. As to why the Node.js Security Project is joining the Node.js Foundation now, the challenges of scale are among the reasons.

"When Lift Security and Adam Baldwin launched the Node.js Security Project, the module ecosystem was much smaller," Mikeal Rogers, Node.js Foundation community manager. told eWEEK. "Since then, the Node.js module landscape has exploded, making it much harder for a single, smaller vendor to manage the project."

Rogers added that as a result of the growth in the Node.js module landscape, finding a new home for the Node.js Security Project increasingly became a higher priority for the Lift Security team.

"Moving the Node.js Security Project to the vendor-neutral Foundation will also pave the way for broader community contribution and even participation from other security vendors that just a few years ago didn't exist," Rogers said. "That's another net-positive for developers and the larger Node.js ecosystem."

Baldwin and the Lift Security team plan to remain involved in Node.js security moving forward under the Node.js Foundation. While the Node.js Security Project was started in April 2013, Baldwin commented that the Lift Security team's work on Node.js started as early as 2012.

"Our database currently holds 142 vulnerabilities that were either found by the Lift Security team or vulnerabilities that were reported to us by the Node.js community," Baldwin said. "While this number may seem small, our efforts are very focused."

Baldwin added that having more participation from the community will certainly uncover more vulnerabilities this coming year, making the module ecosystem even more stable and secure.

Even prior to The Node.js Security Project joining the Node.js Foundation, security efforts were underway to help improve vulnerability disclosure. The Linux Foundation has an initiative called the Core Infrastructure Initiative (CII) that provides guidance, best practices, resource and support to help improve open-source code security.

"Soon after the Node.js Foundation was established we began working closely with the Linux Foundation’s Core Infrastructure Initiative to refine the Node.js security process," Rogers said. "They provided guidance on security best practices for open source projects, which we formalized into a security policy for Node.js."

At the Node.js Foundation, the plan is to form a Node.js Security Project Working Group that will validate vulnerability disclosures and maintain the base dataset of security issues. Baldwin commented that the Lift Security team has done static, dynamic, and manual analysis in the pursuit of trying to identify potential vulnerabilities. Baldwin added that Lift Security has built automated systems to help monitor the ecosystem for malicious modules, and they continue to evolve these tools and techniques as part of a product offering.

"It will be up to the newly established working group as to what projects they will want to pursue, but the group will certainly first focus on establishing a community process for coordinating and distributing vulnerability and security data," Baldwin said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.