Community
From OpenJS World 2023: Responsible Use of Node.js & Open Source Software Utilizing Best Practices at an Enterprise Level – Stephen Husak
Talk from Stephen Husak, Distinguished Engineer, Capital One at OpenJS World 2023 in Vancouver, Canada, May 10-12.
From OpenJS World 2023: Responsible Use of Node.js & Open Source Software Utilizing Best Practices at an Enterprise Level – Stephen Husak
Talk from Stephen Husak, Distinguished Engineer, Capital One at OpenJS World 2023 in Vancouver, Canada, May 10-12.
Stephen Husak shares insights on how a large enterprise manages the risks associated with the constantly evolving vulnerability landscape. The talk begins with an overview of the security landscape in the JavaScript ecosystem. It then delves into how Capital One mitigates risks by adopting well-managed and purposeful practices when utilizing open source software.
Stephen goes into more detail on how this is done in partnership with Capital One’s Open Source Program Office and subject matter experts across the company. Stephen describes how Capital One utilizes a working-group model as well as using process, governance, and automation tools to minimize risk and reduce developer toil. He promotes responsible usage of Node.js and its associated modules. The talk concludes with a Q&A session and Stephen provides additional resources.
Steve’s slide deck is available here.
Main Sections
0:00 Introduction
1:52 Open source software commitment to community
3:20 Capital One’s technology transformation
4:31 Attacking npm packages classes of attacks
7:05 Example of a supply chain attack – substitution attack
9:30 Reduce risk by being well-managed
11:49 Be intentional on Node.js version usage
17:03 Use “Golden images”
20:08 Node.js / JavaScript Center of excellence
22:21 Main responsibilities of the Center of Excellence
24:44 Track package usage – A software bill of materials (SBOMs) helps audit usage
26:15 Developers should be educated
27:47 Evaluate packages before use
30:48 Use tools whenever possible
32:36 Npm package developer best practices
34:28 Npm package publishing best practices
35:25 In summary
36:09 Q&A, other resources, thank you!
OpenJS Resources
About the OpenJS Foundation
Join the OpenJS Foundation
- Join OpenJS as a Member Company
- Join OpenJS as an Individual Contributor
- Join our public calendar meetings