Node.js News Round-up – December 31, 2013

Welcome to our latest summary of the week in Node.js news, this time covering some of the Node.js-related news, tutorials and commentaries we’ve seen online during the holidays.

Working on Related Node.js Modules Locally

Romain Prieto explores working on your app locally, since sometimes we want to experiment a lot before publishing committing any code.

Managing the Asynchronous Nature of Node.js

Maciej Sopyło provides a twenty minute tutorial showing how to write readable and manageable code despite the asynchronous nature of Node.js.

Scaling npm, December 2013

Nodejitsu looks at the growth of the npm registry in the past few weeks and shares how they plan to keep the public npm registry awesome.

What is Node.js & Why Do I Care?

Eric Phetteplace outlines how Node.js provides a new way of writing web servers while using an old UNIX philosophy.

Nodejs and LCDproc

Atlanta Geek describes development of his first Node.js module.

What’s next?

  • Ready to build your next mobile app with a Node backend? We’ve made it easy to get started either locally or on your favorite cloud, with simple npm install.  Get Started >>
  • Do you want to keep up on the latest Node.js news and developments? Sign up for our newsletter, “In the Loop”.
  • Questions? Ask your question in our Google Group or ping us at callback@strongloop.com.

Merry Christmas and Happy Holidays from StrongLoop

The StrongLoop team wishes you all a Merry Christmas and a Happy New Year. Happy holidays to you all!

We won’t be pushing much new content during the holidays, but we have big plans and announcements that we are looking forward to sharing with you in early January.

We genuinely appreciate all your feedback and support – see you in 2014!

StrongLoop Weekly Wrap-Up – Dec 20

As the work week draws to a close, we wanted to summarize this week’s stories.

Node Summit: Media Companies Embrace Node.js for Rapidly Developing Responsive Apps
Issac Roth discusses the five companies in media and entertainment who proclaimed their confidence in Node.js at Node Summit.

Node.js News Round-Up – December 17, 2013
Dave Whiteley summarizes the week in Node.js news, including updates, tutorials and commentaries we’ve seen online.

What’s New in LoopBack 1.3 – The Open Source, Node.js Mobile Backend
Al Tsang announces that LoopBack now supports access control lists (ACL) and tells you how it works.

Understanding the Node.js Event Loop
Adron Hall talks about what the event loop is and does and how it can help you in your day to day development.

StrongLoop is Going to ng-conf
StrongLoop is a Silver Sponsor for ng-conf in Salt Lake City on January 16-17 and will be sending two of its own for the Angular conference.

Mobile News Round-up – December 20, 2013
Matt Schmulen provides a summary of some of the more interesting mobile software stack news, tutorials and commentaries he’s seen online.

In the Loop: Auditing Node.js Modules on npm with Node Security Project
Dave Whiteley profiles the Node Security Project, talking to Adam Baldwin about the npm audit.

What’s next?

  • Ready to build your next mobile app with a Node backend? We’ve made it easy to get started either locally or on your favorite cloud, with simple npm install. Get Started >>
  • Do you want to keep up on the latest Node.js news and developments? Sign up for our newsletter, “In the Loop”.
  • If you have Node.js news you think we should share, send it to us at callback@strongloop.com and we’d be happy to get you In the Loop.

In the Loop: Auditing Node.js Modules on npm with Node Security Project

We like to spread the word of Node.js and the incredible things it can do by profiling creative, interesting and fun uses of Node.js in various products and projects. We call it “In the Loop.”

This time around, we are looking at The Node Security Project. This project asks: “We believe that the node.js core is well audited, but what about the modules on npm?”

To ponder this question more fully, we spoke with Adam Baldwin. Read his bio before you react to the name. Here’s what he had to say about himself.

“I’m the team lead at Lift Security where I get to hack web apps and the CSO at &yet where I get to help an amazing team of developers build web apps (yes it’s a bit jekyll and hyde and I love it). The rest of my time is spent being a husband, father, and correcting people that think I starred in Firefly and Chuck.”

Node Security Project Adam Baldwin

Can you tell us about the Node Security Project?

Adam Baldwin: The node security project is an ambitious (some might say impossible) project to assess the security of the modules published on npm. A lot of security projects stop at “let’s find all the vulns.” I really want this to be a positive experience with getting vulnerabilities fixed, enable developers to know when they are using a module that may introduce vulns in their environment and most of all help educate node.js developers about various security topics.

You want to audit every single module in npm. Can you explain how you developed this goal?

Adam Baldwin: As the CSO at &yet it’s part of my job to think about ways in which the software we build can get compromised. We trust a lot of third party code. I could have stopped there and just audited what we use, but I wanted to have a bigger impact on the community.

You are quite open on your web page, telling everyone “we need your help”. Can you put your goal into perspective? How many man-hours might this take?

Adam Baldwin: Specifically we need the help of security researchers to validate vulnerabilities and we need the help of developers to write patches for projects that have been long abandoned or the project needs help fixing the bug. This isn’t a point, laugh and move on security initiative, we really want to make things better.

Also at the time of writing this there are 50 875 28,254 modules and that number is growing fast. There is just no way one person can audit this much code. It has to be a community effort.

Another way to look at this is the fact that it will never be done. Security just doesn’t work that way. It’s a continual process of building, assessing, improving and so on.

Have you audited any of the modules yet? Can you share any details about the initial results?

Adam Baldwin: We are taking a bit of a different approach and we aren’t auditing one module after another for all the things. We are looking at a specific pattern across the entire module base. This way we can refine that pattern and apply it to new modules and updated modules in a more automated fashion to try and keep up.

The auditors are currently working through the first initiative, child_process.exec. Which if used improperly can allow for command injection. At last count we have found 9 vulnerabilities. In one day.

Node Security Project

How important is this project to the growth and future of Node.js?

Adam Baldwin: I can see this project helping with enterprise adoption. If we find a lot of things, we get a lot of bugs fixed, if we don’t find much, one might attribute that to the level of code being produced by the node.js community. Another is to empower developers to know if a module they are using contains a known problem. This isn’t about creating trusted modules, just that we have looked for certain things and hopefully empower developers.

What’s the initial interest in this project been like?

Adam Baldwin: Amazing. Both from the node core community and from security researchers. I’m very grateful.

Why the focus on Node.js? Could this have been directed at any language?

Adam Baldwin: I enjoy node.js so I wanted to give back in a way that I’m skilled at. It’s a fairly new community and with javascript making it easy for front-end developers to move into the backend, I want a lot of the mistakes we have leaned in other languages to not happen again if we can help it.

Besides the security project, is there anything else Node.js-related that you are working on?

Adam Baldwin: I maintain the helmet project, an express middleware for security headers with secure defaults. I also help with development and security on And Bang, a team samepagification app built on node and redis.

Thanks for discussing this important project with us. We look forward to watching its progress!

If you would like to learn more about the Node Security Project, check out the web site at http://nodesecurity.io/ or write at contact@liftsecurity.io

What’s Next?

  • If you have a cool Node.js project or product you think we should profile, click here to tell us about it.
  • If you don’t have a cool Node.js project yet, we’ve made it easy to build your next mobile app with a Node backend either locally or on your favorite cloud with simple npm install. Get Started >>
  • Want to read more articles like this? Check out past “In the Loop” profiles on CasinoRPG, FlightOffice.com and the 365 Project.

Mobile News Round-up – December 20, 2013

Welcome to our latest mobile summary of the week, covering December 11 through to December 18. Every week this time we will look at mobile software stack news, tutorials and commentaries we’ve seen online.

Make Your Apps Work Seamlessly with iOS 7

Starting Feb 1, new apps and app updates must be optimized for iOS 7 or face rejection from the iTunes store.

Vision Mobile launches Enterprise App Developer Atlas

The Enterprise App Developer Atlas provides an interactive map of the developer journey, helping developers make the right tool choices to reduce costs, increase revenue and capture new markets.

Cross Platform Tool Benchmarking 2013

Research2Guidance gives a free report, “Cross Platform Tool Benchmarking 2013″, which evaluates the performance of 45 established and new Cross Platform Tools.

How to Use the HTML5 Vibration API

Craig Buckler shows how to leverage the HTML5 Vibration API in JavaScript for mobile web.

Why Are You Still Building Consumer Apps? Enterprise Pays 4x More!

Mark Wilcox outlines the profitability of Enterprise Apps compared to their Consumer Application counterparts.

GM builds custom iPad and Android apps to sell more cars and trucks

GM Launches GM Dealer SalesAssistant App (DSA) to help dealership salespeople track special purchase incentive rebates and other offers that are available across Buick, Chevrolet and Cadillac.

What’s next?

  • Ready to build your next mobile app with a Node backend? We’ve made it easy to get started either locally or on your favorite cloud, with simple npm install. Get Started >>
  • Do you want to keep up on the latest Node.js news and developments? Sign up for our newsletter, “In the Loop”.
  • If you have Node.js news you think we should share, send it to us at callback@strongloop.com and we’d be happy to get you In the Loop.