Note: This article focuses on Node.js applications.
Please check my article on running simple automated tests for your Node.js application.
Automating Tests for Your Node.js Application
Pavan Belagatti ・ Feb 8 '23
In this digital age, where everything is connected to the internet and data is everything, security becomes essential for any application, especially those built on Node.js. Node.js is a robust JavaScript-based runtime environment for developing web applications, APIs, and server-side applications. It is famous for its scalability and versatility, but it also comes with its own security risks that must be addressed. In this blog post, we will discuss the importance of application security for Node.js applications and provide a comprehensive guide on the various tools and strategies available for strengthening security.
Node.js and Application Security
Node.js is an open-source, cross-platform JavaScript runtime environment for developing web and server-side applications. It is used by millions of developers worldwide because of its scalability and versatility. It is also an ideal platform for developing real-time applications, such as chat applications or multiplayer games. However, like any other platform, Node.js has its own security risks. Therefore, it is essential to consider application security when developing Node.js applications. Application security protects applications from unauthorised access, data loss, data alteration, and malicious attacks. It is a continuous process that requires regular monitoring and updating of security measures.
Automating Security Tests in Node.js
Automating security tests is an essential part of ensuring that applications are secure. Automated security tests can help organizations identify and fix potential vulnerabilities in the application code. This can help organizations reduce the risk of data breaches and ensure compliance with industry regulations. To automate security tests in Node.js, organizations should use security tools that are specifically designed for Node.js applications. These tools can be used to scan code and identify potential vulnerabilities. They can also be used to run automated security tests regularly.
Prerequisites
- Harness cloud account to run tests and scanning
- GitHub account so you can fork this sample application to see how security scanning works
Tutorial
Harness is a leading software delivery platform with a CI module that helps developers set up continuous integration and delivery pipeline quickly.
Sign up for the free Harness cloud account. Once you sign up and verify your account, you will be presented with a welcome message and project creation set-up. Proceed to create a project.
Add the name to the project, save and continue.
Select the ‘Continuous Integration’ module and start your free plan.
You can start creating your first pipeline.
Click on ‘Get Started’ and connect your SCM tool/platform where the application code is present.
Once your SCM integration connection is successful, pick your repository and begin your pipeline configuration.
Since we are working with a Node.js application, let’s select Node.js and proceed to create the pipeline.
Once you click on ‘Create Pipeline’, you will see the pipeline studio as shown below with default settings.
Click ‘Build Node App’ to see the pipeline configuration. You should see the following page.
If you click on the ‘Build Node App’ under the ‘Execution’ tab, you should see the ‘Run’ step configured for you by default.
You can see node and npm commands in the ‘Command’ tab.
You can keep the mentioned commands or replace and add only the important ones.
We will just keep npm install
and npm test
Apply changes, save the configuration and run the pipeline. You should see the tests passing.
Now, let’s add more tests to your Node.js application to strengthen it, so it is all error-free before deploying it.
You can extend the security and vulnerability testing of your application by using the Harness security testing orchestration (STO) module.
In the execution tab, you can add a step and choose ‘Security’.
You can configure any security tool in the pipeline, such as Snyk, Bandit, OWASP, etc.
You can see that I have configured the OWASP, Snyk, Bandit and Aqua Trivy scan for my application.
After selecting the STO step, you need to add details of the security framework/tool you would like to use for your project.
For example, I have configured the Snyk test with the following details. Sign up for Snyk for free and get the SNYK_TOKEN to add in the details below.
The other details include,
policy_type = orchestratedScan
scan_type = repository
product_name = snyk
product_config_name = default
repository_project = Simple-Node-App
[This is our project name from the forked repo]
repository_branch = <+codebase.branch>
SNYK_TOKEN = Add your snyk token here
Apply changes and save the pipeline.
Similarly, configure the OWASP, Bandit and Aqua Trivy scan.
Below is the setting for the Bandit scan
Below is the setting for the Aqua Trivy scan
At this point, your pipeline should look like this,
Now, save everything and run the pipeline to see the test and vulnerability report.
You can see that the scans ran successfully. It is time to see our application's test report and vulnerabilities.
Click on the ‘Security Tests’, and you should see the vulnerability dashboard as below
You can dig deeper into the vulnerability and possible remediation steps by clicking on them. An example is shown below.
That’s how you can not only find but also fix the issues found in your application and container images.
Conclusion
Application security is essential for protecting Node.js applications from malicious attacks and data breaches. Organizations should use the right tools and strategies for strengthening security, such as security testing, secure coding best practices, DevSecOps, and monitoring and logging security events. By following these best practices, organizations can protect their Node.js applications from malicious attacks and ensure compliance with industry regulations. So, if you're looking for ways to strengthen the security of your Node.js applications, this blog post is a great place to start. I hope you found this helpful guide and that it helps you protect your applications from malicious attacks.