The arena of proper authentication and data security standards is often some of the most misunderstood, confusing, and tricky aspects of building any Node site, app, or service, and the fear of data breaches with unencrypted or poorly encrypted data doesn’t make it any better. We’re going to tackle this field, exploring the proper methodologies for building secure authentication and data security standards. We’ll run through: * Building on top of OAuth 2 and OpenID Connect * Node middleware services for authentication * Working with proper hashing and salting algorithms, and avoiding others, for private user data * Common auth and security pitfalls and solutions In the end, we’re going to see that by understanding proper data security and authentication standards, pitfalls, and reasons for choosing one solution over another, we can make intelligent decisions on creating a solid infrastructure to protect our users and data.

1. Tim Messerschmidt
Head of Developer Relations, International
Braintree
@Braintree_Dev / @SeraAndroid
Web European Conference
Node.js Authentication & Data Security
#NodeSecurity

2. @Braintree_Dev / @SeraAndroid#NodeSecurity
+ Braintree
since 2013

3. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction_
2. Well-known security threats
3. Data Encryption
4. Hardening Express
5. Authentication middleware
6. Great resources
Content

5. @Braintree_Dev / @SeraAndroid#NodeSecurity
The Human Element

6. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. 12345
2. password
3. 12345
4. 12345678
5. qwerty
bit.ly/1xTwYiA
Top 10 Passwords 2014
6. 123456789
7. 1234
8. baseball
9. dragon
10.football

7. @Braintree_Dev / @SeraAndroid#NodeSecurity
21. superman
24. batman
Honorary Mention

8. @Braintree_Dev / @SeraAndroid#NodeSecurity
Authentication
& Authorization

9. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction
2. Well-known security threats_
3. Data Encryption
4. Hardening Express
5. Authentication middleware
6. Great resources
Content

10. @Braintree_Dev / @SeraAndroid#NodeSecurity
OWASP Top 10bit.ly/1a3Ytvg

11. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Injection

12. @Braintree_Dev / @SeraAndroid#NodeSecurity
2. Broken Authentication

13. @Braintree_Dev / @SeraAndroid#NodeSecurity
3. Cross-Site Scripting
XSS

14. @Braintree_Dev / @SeraAndroid#NodeSecurity
4. Direct Object References

15. @Braintree_Dev / @SeraAndroid#NodeSecurity
5. Application Misconfigured

16. @Braintree_Dev / @SeraAndroid#NodeSecurity
6. Sensitive Data Exposed

17. @Braintree_Dev / @SeraAndroid#NodeSecurity
7. Access Level Control

18. @Braintree_Dev / @SeraAndroid#NodeSecurity
8. Cross-site Request Forgery
CSRF / XSRF

19. @Braintree_Dev / @SeraAndroid#NodeSecurity
9. Vulnerable Code

20. @Braintree_Dev / @SeraAndroid#NodeSecurity
10. REDIRECTS / FORWARDS

21. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction
2. Well-known security threats
3. Data Encryption_
4. Hardening Express
5. Authentication middleware
6. Great resources
Content

22. @Braintree_Dev / @SeraAndroid#NodeSecurity
HashingMD5, SHA-1, SHA-2, SHA-3

23. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

24. @Braintree_Dev / @SeraAndroid#NodeSecurity
Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2

25. @Braintree_Dev / @SeraAndroid#NodeSecurity
10.000 iterations user system total
MD5 0.07 0.0 0.07
bcrypt 22.23 0.08 22.31
md5 vs bcrypt
github.com/codahale/bcrypt-ruby

26. @Braintree_Dev / @SeraAndroid#NodeSecurity
Hashing Using Saltalgorithm(data + salt) = hash

27. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction
2. Well-known security threats
3. Data Encryption
4. Hardening Express_
5. Authentication middleware
6. Great resources
Content

28. @Braintree_Dev / @SeraAndroid#NodeSecurity
use strict

29. @Braintree_Dev / @SeraAndroid#NodeSecurity
X-Powered-By

30. @Braintree_Dev / @SeraAndroid#NodeSecurity
NODE-UUIDgithub.com/broofa/node-uuid

31. @Braintree_Dev / @SeraAndroid#NodeSecurity
bcryptgithub.com/ncb000gt/node.bcrypt.js

32. @Braintree_Dev / @SeraAndroid#NodeSecurity
A bcrypt generated Hash
$2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS

33. @Braintree_Dev / @SeraAndroid#NodeSecurity
bcrypt.hash('parmigiano', 12, function(err, hash) {
// store hash
});
bcrypt.compare('parmigiano', hash, function(err, res) {
if (res === true) {
// password matches
}
});
Generating a Hash using bcrypt

34. @Braintree_Dev / @SeraAndroid#NodeSecurity
CSURFgithub.com/expressjs/csurf

35. @Braintree_Dev / @SeraAndroid#NodeSecurity
var csrf = require('csurf');
var csrfProtection = csrf({ cookie: false });
app.get('/form', csrfProtection, function(req, res) {
res.render('form', { csrfToken: req.csrfToken() });
});
app.post('/login', csrfProtection, function(req, res) {
// safe to continue
});
Using Csurf as middleware

36. @Braintree_Dev / @SeraAndroid#NodeSecurity
extends layout
block content
h1 CSRF protection using csurf
form(action="/login" method="POST")
input(type="text", name="username=", value="Username")
input(type="password", name="password", value="Password")
input(type="hidden", name="_csrf", value="#{csrfToken}")
button(type="submit") Submit
Using the token in your template

37. @Braintree_Dev / @SeraAndroid#NodeSecurity
Helmetgithub.com/HelmetJS/Helmet

38. @Braintree_Dev / @SeraAndroid#NodeSecurity
var helmet = require(‘helmet’);
app.use(helmet.noCache());
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
…
// .. or use the default initialization
app.use(helmet());
Using Helmet with default options

39. @Braintree_Dev / @SeraAndroid#NodeSecurity
var helmet = require(‘helmet’);
app.use(helmet.noCache());
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
…
// .. or use the default initialization
app.use(helmet());
Using Helmet with default options

40. @Braintree_Dev / @SeraAndroid#NodeSecurity
Luscagithub.com/krakenjs/lusca

41. @Braintree_Dev / @SeraAndroid#NodeSecurity
var lusca = require('lusca');
app.use(lusca({
csrf: true,
csp: { /* ... */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
xssProtection: true
}));
Applying Lusca as middleware

42. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction
2. Well-known security threats
3. Data Encryption
4. Hardening Express
5. Authentication middleware_
6. Great resources
Content

43. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Application-level
2. Route-level
3. Error-handling
Types of Express Middleware

44. @Braintree_Dev / @SeraAndroid#NodeSecurity
var authenticate = function(req, res, next) {
// check the request and modify response
};
app.get('/form', authenticate, function(req, res) {
// assume that the user is authenticated
}
// … or use the middleware for certain routes
app.use('/admin', authenticate);
Writing Custom Middleware

45. @Braintree_Dev / @SeraAndroid#NodeSecurity
Passportgithub.com/jaredhanson/passport

46. @Braintree_Dev / @SeraAndroid#NodeSecurity
passport.use(new LocalStrategy(function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
if (!user.validPassword(password)) {
return done(null, false, { message: 'Incorrect password.' });
}
return done(null, user);
});
}));
Setting up a passport strategy

47. @Braintree_Dev / @SeraAndroid#NodeSecurity
// Simple authentication
app.post('/login', passport.authenticate(‘local'), function(req, res) {
// req.user contains the authenticated user
res.redirect('/user/' + req.user.username);
});
// Using redirects
app.post('/login', passport.authenticate('local', {
successRedirect: ‘/',
failureRedirect: ‘/login’,
failureFlash: true
}));
Using Passport Strategies for Authentication

48. @Braintree_Dev / @SeraAndroid#NodeSecurity
1. Introduction
2. Well-known security threats
3. Data Encryption
4. Hardening Express
5. Authentication middleware
6. Great resources_
Content

49. @Braintree_Dev / @SeraAndroid#NodeSecurity
Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

50. @Braintree_Dev / @SeraAndroid#NodeSecurity
OWASP Node Goatgithub.com/OWASP/NodeGoat

51. @Braintree_Dev / @SeraAndroid#NodeSecurity
Fast Identity Onlinefidoalliance.org

52. @Braintree_Dev / @SeraAndroid#NodeSecurity
Security Beyond Current Mechanisms
1. Something you have
2. Something you know
3. Something you are

53. @Braintree_Dev / @SeraAndroid#NodeSecurity
Favor security too much over the
experience and you’ll make the
website a pain to use.
smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form

54. @SeraAndroid
tim@getbraintree.com
slideshare.com/paypal
braintreepayments.com/developers
Grazie mille!