Node.js is the latest security risk for developers

Node.js isn't especially risky, but its popularity means sloppy coding can cause harm in a new venue

With Node.js having become a critical cog at places such as PayPal and Wal-Mart, developers need to be mindful of securing their Node.js applications, technologists are advising.

The server-side JavaScript platform is now being used to protect the likes of financial transactions and other enterprise client data, said Adam Baldwin, chief security officer at security consulting firm ^Lift Security. Node.js shares security issues with its client-side brother, JavaScript, as well with other platforms, Baldwin said. "The core of Node is JavaScript, so Node inherits any concerns there might be with JavaScript. However, the execution context of V8, the JavaScript engine Node uses, is entirely different than a browser because it executes on the server. That difference adds some unique surface area [for attacks].

Mark Stuart, a senior UI engineer at PayPal, advises developers to use good security defaults and scanning of modules. "Node is still JavaScript, so eval and all the terrible things on the client side still exist on the server side," Stuart said. (The eval function evaluates code represented as a string but poses the risk of running malicious code.)

The importance of security on Node.js has led to formation of the Node Security Project, headed by Baldwin, which wants to audit NPMs (Node packaged modules). Developers need to actively address common security issues in their code, using resources such as the OWASP (Open Web Application Security Project) Top 10, which includes cross-site scripting, cross-site request forgery, security misconfiguration, and unvalidated redirects and forwards.

This story, "Node.js is the latest security risk for developers," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform