Adrián Estrada, NodeSource: “the pandemic was sudden and companies did not have time to prepare”
It’s fair to say that the pandemic has not only wreaked havoc on how individuals live their daily lives but also on how they work. The global changes led to an immediate shift to remote working and unfortunately, not all enterprises were prepared for it.
Companies did not have adequate time to prepare and allocate necessary security resources to ensure strong network and device protection for employees working remotely.
Today, we’ve talked with Adrián Estrada, the Vice President of Engineering at NodeSource, who explained how their N|Solid platform can help businesses using Node.js applications to monitor processes and detect critical vulnerabilities for better protection.
Additionally, you can read more about the hosting of small business websites here. The listed providers also have support for the Node.js environment.
Tell us a little bit about your story. How did the idea of NodeSource originate?
NodeSource is a technology company dedicated to delivering enterprise-grade solutions in support of a sustainable ecosystem for the open-source Node.js project.
It was founded in the early stages of the Node.js platform by some incredible engineers that believed in the future of Node. They had this big idea to build a product to help developers build the best software possible and support the ecosystem. Now, the idea became a reality – that's how N|Solid product was born.
Can you introduce us to your N|Solid platform? What are its key features?
N|Solid lives in production and provides profound insights into node applications and services throughout the development lifecycle. It can be self-hosted or used via our Software as a Service (SaaS) offering and can include 24/7 support. Organizations rely on its key features, like Process Monitoring, CPU Profiling, and Vulnerability Scanning.
Additionally, N|Solid is the only Application Performance Monitoring (APM) tool that provides insights into Worker Threads. You can find out more about it here.
In your opinion, which industries should look into adopting Node.js?
One of the key benefits of Node.js is how accessible it is. Developers all over the world have adopted it as a standard part of their tech stack. We have already seen industries like media, fintech, and social media as early adopters of Node. What makes Node so popular? It supports a wide range of markets. When considering the adoption of Node.js, it is more about the application type and its utilization.
Why these types of apps?
Node.js offers high efficiency and throughput because of its asynchronous events and non-blocking I/O. These applications are single-threaded (side-bar multiple threads used for file and network events). As a result of its asynchronous nature, Node.js is perfect for real-time applications, as an example. It is more important to focus on the type of application and if Node.js is the best technology to utilize.
Do you think the pandemic altered how threat actors operate?
The pandemic was sudden, and companies did not have time to prepare the necessary security measures or ensure that they were solid and in place for remote/at-home workers. So, it has provided a unique window of opportunity for malicious behavior. Systems may have been secure, but people were not.
With that knowledge, threat actors started to focus on people. Once they have the user's data – they blackmail users, change the attack's target to the corporation installing malicious software to scale privileges, and take control of all systems step by step.
What are the key security practices companies should follow when it comes to application development?
There is a lot involved here. The list can be long, depending on the application. The best thing to do is get a security assessment from a reputable firm to ensure your application/data is secure. The peace of mind knowing you have filled all holes/gaps in security far exceeds the pain, reputation hit, and cost of a security breach.
Which details do you think are often overlooked when it comes to Node.js security?
There are some common oversights that people make, including the following:
- How the event-loop is considered when delivering new features. For example, writing sync code that blocks concurrent users and causes DoS Attacks
- Forgetting to have a strategy for disasters
- What to do if a third-party dependency goes offline
As mentioned above, it’s essential to implement security tools, like N|Solid NCM to do the heavy lifting. Teams are busy, and sometimes security gaps are overlooked.
What predictions do you have for the Node.js landscape for the near future?
Node.js has a lot going for it on the positive side for continued growth. For instance, a large, active community is proud and eager to keep innovating Node.js. The Node Package Manager (NPM) is big, with over 1.3 million packages, and continues to grow every day. The non-blocking nature of Node.js makes it lightweight and extremely fast – an ideal choice when performance is critical. Lots of time and attention has been spent over the years to ensure Node.js continues to be one of the best-performing platforms. So, the future predictions are:
- Node.js is not going away anytime soon
What cyber threats do you expect to see more of in the next few years? What can average internet users do to protect themselves?
I expect to see more of the following attacks in the future:
- DDoS Attacks. You can protect yourself by adding rate limiting on Web APIs and access keys
- Man-in-the-middle attacks. Establish a culture and best practices for avoiding phishing and other related attacks
- Package Pollution. Increase protection by adding tools to validate package integrity on CI
Share with us, what’s next for NodeSource?
Our mission here at NodeSource has never changed and never will. We have a singular goal – facilitating the successful adoption and utilization of Node.js. Security and performance are a constant top priority for us and will continue to be the foundation of our work. We continue to improve and strengthen these areas to help our customers guard against risk factors that may affect their applications.