From OpenJS World 2022: Securing JavaScript – Myles Borins, Product Manager, GitHub

Myles Borins, Product Manager at GitHub, presented on Securing JavaScript at OpenJS World this past June. The npm registry is the heart of the JavaScript ecosystem. Hear about the steps taken at GitHub to secure this important part of the software supply chain from enforcing software solutions such as automated malware scanning to policies such as enforcing two-factor authentication for high-impact packages. This talk covers what the team at GitHub shipped to respond to an increase in threats to their ecosystem and what they are working on next.

Full keynote available here: https://www.youtube.com/watch?v=eDZHrNbyK3c 

Main Sections:

0:00 Introduction

1:21 Account Takeovers (ATO)

2:50 What did we do right?

4:56 What did we learn?

6:20 The npm security roadmap

15:34 Demo 

16:32 Campaign using stolen OAuth tokens 

18:08 Validation with registry package signing 

19:12 What’s next?

Main OpenJS Resources: 

Main Site: https://openjsf.org/ 

Blog: https://openjsf.org/blog/ 

Join: https://openjsf.org/about/join/ 

Certification: https://openjsf.org/certification/

Twitter: https://twitter.com/openjsf

LinkedIn: https://www.linkedin.com/company/openjs-foundation/