{"id":48991,"date":"2018-09-20T14:20:23","date_gmt":"2018-09-20T14:20:23","guid":{"rendered":"http:\/\/www.sickgaming.net\/blog\/2018\/09\/20\/building-a-secure-ecosystem-for-node-js\/"},"modified":"2018-09-20T14:20:23","modified_gmt":"2018-09-20T14:20:23","slug":"building-a-secure-ecosystem-for-node-js","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2018\/09\/20\/building-a-secure-ecosystem-for-node-js\/","title":{"rendered":"Building a Secure Ecosystem for Node.js"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2018\/09\/building-a-secure-ecosystem-for-node-js.jpg\" class=\"ff-og-image-inserted\" \/><\/div>\n<p>At<a href=\"https:\/\/events.linuxfoundation.org\/events\/node-js-interactive-2018\/?utm_source=Linux.com&amp;utm_medium=article&amp;utm_campaign=jsint18\"> Node+JS Interactive<\/a>, attendees collaborate face to face, network, and learn how to improve their skills with JS in serverless, IoT, and more. <a href=\"https:\/\/jsi2018.sched.com\/speaker\/stevans1?iframe=no\">Stephanie Evans<\/a>, Content Manager for Back-end Web Development at LinkedIn Learning, will be speaking at the upcoming conference about building a secure ecosystem for Node.js. Here she answers a few questions about teaching and learning basic security practices.<\/p>\n<p><strong>Linux.com: Your background is in tech education, can you provide more details on how you would define this and how you got into this area of expertise?<\/strong><\/p>\n<p><strong>Stephanie Evans:<\/strong> It sounds clich\u00e9, but I\u2019ve always been passionate about education and helping others. After college, I started out as an instructor of a thoroughly analog skill: reading. I worked my way up to hiring and training reading teachers and discovered my passion for helping people share their knowledge and refine their teaching craft. Later, I went to work for McGraw Hill Education, publishing self-study certification books on popular IT certs like CompTIA\u2019s Network+ and Security+, ISAAP\u2019s CISSP, etc. My job was to figure out who the biggest audiences in IT were; what they needed to know to succeed professionally; hire the right book author; and help develop the manuscript with them.<\/p>\n<p>I moved into online learning\/e-learning 4 years ago and shifted to video training courses geared towards developers. I enjoy working with people who spend their time building and solving complex problems. I now manage the video training library for back-end web developers at LinkedIn Learning\/Lynda.com and figure out what developers need to know; hire instructors to create that content; and work together to figure out how best to teach it to them. And, then update those courses when they inevitably become out of date.<\/p>\n<p><strong>Linux.com: What initially drove you to use your skill set in education to help with security practices? <\/strong><\/p>\n<p><strong>Evans:<\/strong> I attend a lot of conferences, watch a lot of talks, and chat to a lot of developers as part of my job. I distinctly remember attending a security best practices talk at a very large, enterprise-tech focused conference and was surprised by the rudimentary content being covered. Poor guy, I\u2019d thought\u2026he\u2019s going to get panned by this audience. But then I looked around and most everyone was engaged. They were learning something new and compelling. And it hit me: I had been in a security echo chamber of my own making. Just like the mainstream developer isn\u2019t working with the cutting-edge technology people are raving about on Twitter, they aren\u2019t necessarily as fluent in basic security practices as I\u2019d assumed. \u00a0A mix of unawareness, intense time pressure, and perhaps some misplaced trust can lead to a \u201csecurity later\u201d mentality. But with the global cost of cybercrime up to 6<a>00 billion a year from 500 billion in 2014<\/a> as well as the <a href=\"https:\/\/www.forbes.com\/sites\/bernardmarr\/2018\/05\/21\/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read\/#101d261a60ba\">exploding amount of data on the web<\/a>. We can\u2019t afford to be working around security or assuming everyone knows the basics. <\/p>\n<p><strong>Linux.com: What do you think are some common misconceptions about security with Node.js and in general with developers?<\/strong><\/p>\n<p><strong>Evans:<\/strong> I think one of the biggest misconceptions is that security awareness and practices should come \u201clater\u201d in a developer\u2019s career (and later in the development cycle). Yes, your first priority is to learn that Java and JavaScript are not the same thing\u2014that\u2019s obviously most important. And you do have to understand how to create a form before you can understand how to prevent cross-site -scripting attacks. But helping developers understand\u2014at all stages of their career and learning journey\u2014what the potential vulnerabilities are and how they can be exploited needs to be a much higher priority and come earlier than we may intuitively think.<\/p>\n<p>I joke with my instructors that we have to sneak in the \u2018eat your vegetables\u2019 content to our courses. Security is an exciting, complex and challenging topic, but it can feel like you\u2019re having to eat your vegetables as a developer when you dig into it. Often \u2018security\u2019 is a separate department (that can be perceived as \u2018slowing things down\u2019 or getting in the way of deploying code) and it can further distance developers from their role in securing their applications. \u00a0<\/p>\n<p>I also think that those who truly understand security can feel that it\u2019s overwhelmingly complex to teach\u2014but we have to start somewhere. I attended an introductory npm talk last year that talked about how to work with dependencies and packages\u2026but never once mentioned the possibility of malicious code making it into your application through these packages. I\u2019m all about teaching just enough at the right time and not throwing the kitchen sink of knowledge at new developers. We should stop thinking of security\u2014or even just security awareness\u2014as an intermediate or advanced skill and start bringing it up early and often.<\/p>\n<p><strong>Linux.com: How can we infuse tech education into our security practices? Where does this begin?<\/strong><\/p>\n<p><strong>Evans:<\/strong> It definitely goes both ways. Clear documentation and practical resources right alongside security recommendations go a long way towards ensuring understanding and adoption. You have to make things as easy as possible if you want people to actually do it. And you have to make those best practices accessible enough to understand. <\/p>\n<p>The <a href=\"https:\/\/nodejs.org\/en\/user-survey-report\/\">2018 Node User Survey Report<\/a> from the Node.js Foundation showed that while learning resources around Node.js and JavaScript development improved, the availability and quality of learning resources for Node.js Security received the lowest scores across the board. <\/p>\n<p>After documentation and Stack Overflow, many developers rely on online videos and tutorials\u2014we need to push security education to the forefront, rather than expecting developers to seek it out. OWASP, the nodegoat project, and the Node.js Security Working Group are doing great work here to move the needle. I think tech education can do even more to bring security in earlier in the learning journey and create awareness about common exploits and important resources.<\/p>\n<p><em>Learn more at <a href=\"https:\/\/events.linuxfoundation.org\/events\/node-js-interactive-2018\/?utm_source=Linux.com&amp;utm_medium=article&amp;utm_campaign=jsint18\">Node+JS Interactive<\/a>, coming up October 10-12, 2018 in Vancouver, Canada.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>At Node+JS Interactive, attendees collaborate face to face, network, and learn how to improve their skills with JS in serverless, IoT, and more. Stephanie Evans, Content Manager for Back-end Web Development at LinkedIn Learning, will be speaking at the upcoming conference about building a secure ecosystem for Node.js. Here she answers a few questions about [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":48992,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-48991","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-freebsd-unix"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/48991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=48991"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/48991\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/48992"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=48991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=48991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=48991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}