Community

From OpenJS World 2023: Responsible Use of Node.js & Open Source Software Utilizing Best Practices at an Enterprise Level – Stephen Husak


Talk from Stephen Husak, Distinguished Engineer, Capital One at OpenJS World 2023 in Vancouver, Canada, May 10-12.

From OpenJS World 2023: Responsible Use of Node.js & Open Source Software Utilizing Best Practices at an Enterprise Level – Stephen Husak

Talk from Stephen Husak, Distinguished Engineer, Capital One at OpenJS World 2023 in Vancouver, Canada, May 10-12. 

Stephen Husak shares insights on how a large enterprise manages the risks associated with the constantly evolving vulnerability landscape. The talk begins with an overview of the security landscape in the JavaScript ecosystem. It then delves into how Capital One mitigates risks by adopting well-managed and purposeful practices when utilizing open source software. 

Stephen goes into more detail on how this is done in partnership with Capital One’s Open Source Program Office and subject matter experts across the company. Stephen describes how Capital One utilizes a working-group model as well as using process, governance, and automation tools to minimize risk and reduce developer toil. He promotes responsible usage of Node.js and its associated modules. The talk concludes with a Q&A session and Stephen provides additional resources.

Steve’s slide deck is available here.

Main Sections

0:00 Introduction

1:52 Open source software commitment to community

3:20 Capital One’s technology transformation

4:31 Attacking npm packages classes of attacks

7:05 Example of a supply chain attack – substitution attack

9:30 Reduce risk by being well-managed

11:49 Be intentional on Node.js version usage 

17:03 Use “Golden images”

20:08 Node.js / JavaScript Center of excellence

22:21 Main responsibilities of the Center of Excellence

24:44 Track package usage – A software bill of materials (SBOMs) helps audit usage 

26:15 Developers should be educated 

27:47 Evaluate packages before use 

30:48 Use tools whenever possible 

32:36 Npm package developer best practices

34:28 Npm package publishing best practices

35:25 In summary

36:09 Q&A, other resources, thank you!

OpenJS Resources

About the OpenJS Foundation

Join the OpenJS Foundation

Follow Us on Social