Talk from Stephen Husak, Distinguished Engineer, Capital One at OpenJS World 2023 in Vancouver, Canada, May 10-12.
Stephen goes into more detail on how this is done in partnership with Capital One’s Open Source Program Office and subject matter experts across the company. Stephen describes how Capital One utilizes a working-group model as well as using process, governance, and automation tools to minimize risk and reduce developer toil. He promotes responsible usage of Node.js and its associated modules. The talk concludes with a Q&A session and Stephen provides additional resources.
Steve’s slide deck is available here.
1:52 Open source software commitment to community
3:20 Capital One’s technology transformation
4:31 Attacking npm packages classes of attacks
7:05 Example of a supply chain attack – substitution attack
9:30 Reduce risk by being well-managed
11:49 Be intentional on Node.js version usage
17:03 Use “Golden images”
22:21 Main responsibilities of the Center of Excellence
24:44 Track package usage – A software bill of materials (SBOMs) helps audit usage
26:15 Developers should be educated
27:47 Evaluate packages before use
30:48 Use tools whenever possible
32:36 Npm package developer best practices
34:28 Npm package publishing best practices
35:25 In summary
36:09 Q&A, other resources, thank you!
About the OpenJS Foundation
Join the OpenJS Foundation
- Join OpenJS as a Member Company
- Join OpenJS as an Individual Contributor
- Join our public calendar meetings