Node.js Security Initiatives 2024

[RafaelGSS]

Hey!

Since May 2023 the Security team has been working on the following initiatives:

• Permission Model (2 Phase) - (Done)
• Automate update dependencies (Done)
• Assessment against best practices (Done)
• Automate Security release process (In progress)

As always, I want to express my gratitude to everyone who contributed to our latest project. The work was exceptional. During today's meeting (#1245), we discussed the need to explore new initiatives to enhance the Node.js security ecosystem. Therefore, I would like to use this issue as a forum for brainstorming and sharing ideas. Please feel free to share any problems you've encountered and any potential solutions you may have. Even if you don't have a solution in mind, please share the problem anyway. All input is welcome. This thread will be reviewed and discussed through the Node.js Security team meetings (feel free to join).

@nodejs/security-wg

[marco-ippolito]

I think SBOM should be an initiative for this year

Ref: #1115

[mhdawson]

I think we should make the work to audit the build processes of the dependencies an initiative for 2024. It both aligns well with the emphasis on supply chain security and should also help the project to limit the risk of issues during security release.

Ref: #1037 #1236

[mhdawson]

Proposal from discussion in the meeting today for 2024

• Permission Model (2 Phase)
• Assessment against best practices
• Automate Security release process
• Including SBOMs with Node.js
• Audit and improving the build processes of Node.js dependencies

[UlisesGascon]

Given the recent discussions around the xz incident, I suggest including a new initiative dedicated to mitigating potential threats originating from similar vectors within the organization.

As an outcome of this initiative, I propose to:

• Evaluate the current situation of the project regarding this scenario.
• Prepare a list of potential changes to increase our resilience against this kind of threat.
• Share our learnings openly so that other projects within the OpenJS Foundation and outside can benefit from them.

ref: #1282

[RafaelGSS]

We currently have two experimental security features: the Permission Model and the Policy mechanism. Although the Permission Model is still in development, the Policy mechanism requires further research to determine its next steps. Therefore, I suggest that we focus on improving the Policy mechanism as one of our initiatives for 2024.

UPDATE: Flagging it as resolved as the feature will be removed

[RafaelGSS]

Discuss the impact of our CI machines and attack vectors

[RafaelGSS]

Code Integrity feature for Node.js.

@rdw-msft can you provide more details on this?

[RafaelGSS]

Include a "Defense in Depths" policy to Node.js Threat Model.

@mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)

---

Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria