Member of the Node.js Security WG

The Ecosystem Security Working Group works to improve the security of the Node.js Ecosystem.

Responsibilities include:

• Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
• Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
• Maintain and make available data on disclosed security vulnerabilities in:
  • The core Node.js project
  • Other projects maintained by the Node.js Foundation technical group
  • The external Node.js open source ecosystem
• Promote the improvement of security practices within the Node.js ecosystem.
• Facilitate and promote the expansion of a healthy security service and product provider ecosystem.

My participation

• Joined the Node.js Security WG in may'22
• Coauthored the Node.js Official Security Best Practices
• Coauthored the Node.js Official Threat Model
• Helped to implement the OpenSFF Scorecard in the Node.js Organization
• Published blog post: You should use the OpenSSF Scorecard
• Created the Github Action: OpenSSF Scorecard Monitor to enable an easy way to monitor the score of all the repositories in the org and dependencies. See report
• Added pipelines to manage the OpenSFF Scorecard in the Node.js Security WG
• Ported the project is-my-node-vulnerable to Github Actions

The WG impact

• Node.js Security Progress Report – Permission Model Merged
• Node.js Security Progress Report – OpenSSF Grant Renewed for 2023, New Ecosystem Focus
• Node.js Security Progress Report – More Successful December Outcomes
• Node.js Security Progress Report – Looking Forward to 2023
• Node.js Security Progress Report – Improving Security Processes
• Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js
• Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements
• Node.js Security Progress Report – Permission System Gets Its First Pull Request

Meetings that I participated

• 2023-03-16 Meeting notes, agenda and video
• 2023-02-16 Meeting notes, agenda and video
• 2023-02-02 Meeting notes, agenda and video
• 2023-01-19 Meeting notes, agenda and video
• 2023-01-05 Meeting notes, agenda and video
• 2022-12-08 Meeting notes, agenda and video
• 2022-11-24 Meeting notes, agenda and video
• 2022-11-10 Meeting notes, agenda and video
• 2022-10-27 Meeting notes, agenda and video
• 2022-10-13 Meeting notes, agenda and video
• 2022-09-15 Meeting notes, agenda and video
• 2022-09-01 Meeting notes, agenda and video
• 2022-08-04 Meeting notes, agenda and video
• 2022-07-21 Meeting notes, agenda and video
• 2022-07-07 Meeting notes, agenda and video
• 2022-06-23 Meeting notes, agenda and video
• 2022-06-02 Meeting notes, agenda and video
• 2022-05-26 Meeting notes, agenda and video
• 2022-05-12 Meeting notes, agenda and video
• 2022-04-07 Next 10 Mini-summit - WASM and Security model/policies/etc: Meeting notes, agenda and video

References

• nodejs/security-wg
• OpenJS Fundation | Node.js Security Progress Report – Improving Security Processes