Member of the Node.js Security WG
Escrito por: Ulises Gascón
May 26, 2022 — 3 min readThe Ecosystem Security Working Group works to improve the security of the Node.js Ecosystem.
Responsibilities include:
- Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
- Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
- Maintain and make available data on disclosed security vulnerabilities in:
- The core Node.js project
- Other projects maintained by the Node.js Foundation technical group
- The external Node.js open source ecosystem
- Promote the improvement of security practices within the Node.js ecosystem.
- Facilitate and promote the expansion of a healthy security service and product provider ecosystem.
My participation
- Joined the Node.js Security WG in may'22
- Coauthored the Node.js Official Security Best Practices
- Coauthored the Node.js Official Threat Model
- Helped to implement the OpenSFF Scorecard in the Node.js Organization
- Published blog post: You should use the OpenSSF Scorecard
- Created the Github Action: OpenSSF Scorecard Monitor to enable an easy way to monitor the score of all the repositories in the org and dependencies. See report
- Added pipelines to manage the OpenSFF Scorecard in the Node.js Security WG
- Ported the project
is-my-node-vulnerable
to Github Actions
The WG impact
- Node.js Security Progress Report – Permission Model Merged
- Node.js Security Progress Report – OpenSSF Grant Renewed for 2023, New Ecosystem Focus
- Node.js Security Progress Report – More Successful December Outcomes
- Node.js Security Progress Report – Looking Forward to 2023
- Node.js Security Progress Report – Improving Security Processes
- Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js
- Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements
- Node.js Security Progress Report – Permission System Gets Its First Pull Request
Meetings that I participated
- 2023-03-16 Meeting notes, agenda and video
- 2023-02-16 Meeting notes, agenda and video
- 2023-02-02 Meeting notes, agenda and video
- 2023-01-19 Meeting notes, agenda and video
- 2023-01-05 Meeting notes, agenda and video
- 2022-12-08 Meeting notes, agenda and video
- 2022-11-24 Meeting notes, agenda and video
- 2022-11-10 Meeting notes, agenda and video
- 2022-10-27 Meeting notes, agenda and video
- 2022-10-13 Meeting notes, agenda and video
- 2022-09-15 Meeting notes, agenda and video
- 2022-09-01 Meeting notes, agenda and video
- 2022-08-04 Meeting notes, agenda and video
- 2022-07-21 Meeting notes, agenda and video
- 2022-07-07 Meeting notes, agenda and video
- 2022-06-23 Meeting notes, agenda and video
- 2022-06-02 Meeting notes, agenda and video
- 2022-05-26 Meeting notes, agenda and video
- 2022-05-12 Meeting notes, agenda and video
- 2022-04-07 Next 10 Mini-summit - WASM and Security model/policies/etc: Meeting notes, agenda and video