Session Proposal: Node.js Security - State of the Ecosystem & What's Next #480
Description
Proposal
Topic of the session
Node.js Security: current strategies, ongoing initiatives, and what's next.
Type of the session
- Collaborate
- Workshop
- Talk
Estimated duration of the session
1 hour
Date and Time of the session
TBD / Open for discussion
Level
- Beginner
- Intermediate
- Advanced
Pre-requisite knowledge
A basic understanding of Node.js security concepts is helpful. Familiarity with
the Node.js release process and security policies is a plus, but not required.
Describe the session
This collaborative session will cover the current state of Node.js security and
open the floor for brainstorming on what comes next.
Agenda (proposed):
- Overview of the Security WG's recent and ongoing work:
- Threat model updates
- Permission Model
- CVE triage and disclosure process
- Fuzzing efforts
- Supply chain security (SBOM, OpenSSF Scorecard, Sigstore, etc.)
- Security release process: how vulnerabilities are triaged, fixed, and disclosed
- Open discussion: what are the biggest security challenges and opportunities
facing Node.js today? - Brainstorm: what should the Security WG prioritize next?
The session will be split between short presentations and group discussion, with
the goal of aligning contributors on priorities and gathering community input on
the future direction of Node.js security.
Session facilitator(s), Github handle(s) and timezone(s)
@RafaelGSS - UTC-3
Meeting notes and Virtual Meeting Link