-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js Security Initiatives 2024 #1255
Comments
I think SBOM should be an initiative for this year Ref: #1115 |
Proposal from discussion in the meeting today for 2024
|
Given the recent discussions around the xz incident, I suggest including a new initiative dedicated to mitigating potential threats originating from similar vectors within the organization. As an outcome of this initiative, I propose to:
ref: #1282 |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as duplicate.
This comment was marked as duplicate.
Code Integrity feature for Node.js. @rdw-msft can you provide more details on this? |
Include a "Defense in Depths" policy to Node.js Threat Model. @mhdawson @rdw-msft can you include some context here? (Feel free to edit this comment)
|
This comment was marked as duplicate.
This comment was marked as duplicate.
Regarding this, there’s a WIP PR for import maps: nodejs/node#49443. Import maps could be used as a place to store the subresource integrity hashes for modules: https://github.com/guybedford/import-maps-extensions#integrity. This would require some coordination with standards bodies such as WICG and WinterCG. cc @guybedford |
Permission Model adoption on Package Managers: #1300 |
Here's the document we use to differentiate between "defense in depth" and "security boundary" features: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria |
Improve CII Best Practices and reach silver badge. |
Defining scopes of the Security team |
Selected Initiatives for 2024:
Please note we have skipped item 3 (SBOM) as we don't have a volunteer for that. If you are interested in moving forward with this initiative, join us. Refs: #1319 |
Hey!
Since May 2023 the Security team has been working on the following initiatives:
As always, I want to express my gratitude to everyone who contributed to our latest project. The work was exceptional. During today's meeting (#1245), we discussed the need to explore new initiatives to enhance the Node.js security ecosystem. Therefore, I would like to use this issue as a forum for brainstorming and sharing ideas. Please feel free to share any problems you've encountered and any potential solutions you may have. Even if you don't have a solution in mind, please share the problem anyway. All input is welcome. This thread will be reviewed and discussed through the Node.js Security team meetings (feel free to join).
@nodejs/security-wg
The text was updated successfully, but these errors were encountered: