The git Awesome Node.js security repo is a nugget not to be missed (it references a lot of projects, articles and other documents to help you wake up to security in Node.js).
I also recommend Node.js Security Handbook by the Sqreen company to learn how to better secure your Node.js applications.
Other resources (articles, talks, studies):
- The State of Open Source Security 2023 - Snyk
- We’re under attack! 23+ Node.js security best practices
- Top 11 Node.js security best practices - Sqreen
- Snyking in – Directory traversal vulnerability exploit in the st package
- Hacker-Powered Data: The Most Common Security Weaknesses and How to Avoid Them - David Horvath
- Securing Node.js and JavaScript - VLADIMIR DE TURKHEIM
- NodeConf Remote 2020 - Matteo Collina - Why there are no incentives for security in Open Source
- Trojan Source - Invisible Source Code Vulnerabilities
- NPM security: preventing supply chain attacks
- Char Wars: The Path Traversal Strikes Back - Liran Tal
- Eval all the strings! Hardened JavaScript - Zbyszek Tenerowicz
- Stop Recommending JWTs (with symmetric keys)
Initiatives to learn about and implement
- OpenSSF Security Scorecards
- OSV - A distributed vulnerability database for Open Source
- SLSA - Safeguarding artifact integrity across any software supply chain
If you work on Github, I also recommend my latest article: Securizing your GitHub org
All Liran TAL ebooks;
- Defending Against Command Injection Vulnerabilities
- Mitigate and Weaponize Code Injection Vulnerabilities
- Prevention and Exploitation of Path Traversal Vulnerabilities
- Essential Node.js Security for Express Web Applications
⬅️ 🔐 Security: Static Analysis & AST | ➡️ 🔐 Security: If security is an area that interests you