Member of the Node.js Security WG
Escrito por: Ulises Gascón
May 26, 2022 — 5 min readThe Ecosystem Security Working Group works to improve the security of the Node.js Ecosystem.
Responsibilities include:
- Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
- Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
- Maintain and make available data on disclosed security vulnerabilities in:
- The core Node.js project
- Other projects maintained by the Node.js Foundation technical group
- The external Node.js open source ecosystem
- Promote the improvement of security practices within the Node.js ecosystem.
- Facilitate and promote the expansion of a healthy security service and product provider ecosystem.
My participation
- Joined the Node.js Security WG in may'22
- Coauthored the Node.js Official Security Best Practices and keep it updated
- Coauthored the Node.js Official Threat Model
- Helped to implement the OpenSFF Scorecard in the Node.js Organization
- Published blog post: You should use the OpenSSF Scorecard
- Created the Github Action: OpenSSF Scorecard Monitor to enable an easy way to monitor the score of all the repositories in the org and dependencies. See report
- Added pipelines to manage the OpenSFF Scorecard in the Node.js Security WG
- Ported the project
is-my-node-vulnerable
to Github Actions - Improve the OpenSFF Scorecard scoring across the Node.js Organization. Example
- Review and maintain The OpenSSF CII-Best-Practices for Node.js
- Achieve the Silver level
- Achieve the Golden level
- Actively participating in multiple initiatives: Pull requests, commits, issues
The WG impact
- OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites
- Quick Start for New Sovereign Tech Fund Activities to Strengthen JavaScript
- Node.js State of Security + OpenJS Security Collab Space
- Let's automate Node.js Dependency Updates
- Why you should pin your GitHub Actions by commit-hash
- Open Source Security Foundation (OpenSSF) Selects Node.js as Initial Project to Improve Supply Chain Security
- NodeConf EU 2023| Rafael Gonzaga | The Journey of the Node.js Permission Model
- Node.js CollabSummit 2023 | Security: Next Initiatives Discussion
- Open Source Security Foundation (OpenSSF) Selects Node.js as Initial Project to Improve Supply Chain Security
Node.js Security Progress Report
- Progress on Permission Model, Fuzzer and Connections with Community
- Active Outreach to a Growing Node.js Security Community
- Node.js Security Progress Report – Active Outreach to a Growing Node.js Security Community
- Security Release and Node.js 21
- September Community Engagement
- Looking Into SBOM for Node.js
- Fewer Steps and More Releases
- 17 Reports Closed
- First Response Time Down to 8 Hours, New Security Release Announced
- Automation, Automation and more Automation
- More Community Participation Leads to Security Sustainability Progress
- Permission Model Merged
- OpenSSF Grant Renewed for 2023, New Ecosystem Focus
- More Successful December Outcomes
- Looking Forward to 2023
- Improving Security Processes
- Collab Summit Highlights Increased Focus On Security for Node.js
- Threat Model and Dependency Analysis Improvements
- Permission System Gets Its First Pull Request
- Progress Report – Strengthening Node.js Security
Last meeting
Meetings that I leaded
- 2023-09-28 Meeting notes, agenda and video
- 2023-05-11 Meeting notes, agenda and video
- 2023-04-27 Meeting notes, agenda and video
- 2023-03-30 Meeting notes, agenda and video
Meetings that I participated
- 2024-04-25 Meeting notes, agenda and video
- 2024-02-08 Meeting notes, agenda and video
- 2024-02-01 Meeting notes, agenda and video
- 2024-01-18 Meeting notes, agenda and video
- 2024-01-04 Meeting notes, agenda and video
- 2023-12-21 Meeting notes, agenda and video
- 2023-11-23 Meeting notes, agenda and video
- 2023-10-26 Meeting notes, agenda and video
- 2023-08-17 Meeting notes, agenda and video
- 2023-07-20 Meeting notes, agenda and video
- 2023-07-06 Meeting notes, agenda and video
- 2023-06-22 Meeting notes, agenda and video
- 2023-06-08 Meeting notes, agenda and video
- 2023-05-25 Meeting notes, agenda and video
- 2023-04-13 Meeting notes, agenda and video
- 2023-03-16 Meeting notes, agenda and video
- 2023-02-16 Meeting notes, agenda and video
- 2023-02-02 Meeting notes, agenda and video
- 2023-01-19 Meeting notes, agenda and video
- 2023-01-05 Meeting notes, agenda and video
- 2022-12-08 Meeting notes, agenda and video
- 2022-11-24 Meeting notes, agenda and video
- 2022-11-10 Meeting notes, agenda and video
- 2022-10-27 Meeting notes, agenda and video
- 2022-10-13 Meeting notes, agenda and video
- 2022-09-15 Meeting notes, agenda and video
- 2022-09-01 Meeting notes, agenda and video
- 2022-08-04 Meeting notes, agenda and video
- 2022-07-21 Meeting notes, agenda and video
- 2022-07-07 Meeting notes, agenda and video
- 2022-06-23 Meeting notes, agenda and video
- 2022-06-02 Meeting notes, agenda and video
- 2022-05-26 Meeting notes, agenda and video
- 2022-05-12 Meeting notes, agenda and video
- 2022-04-07 Next 10 Mini-summit - WASM and Security model/policies/etc: Meeting notes, agenda and video