DeveloperWeek 2019

In an npm, Inc. survey of over 16,000 worldwide developers, 97% of JavaScript developers confirm they use open source code, 77% express concern about whether the open source software they use is secure, and 52% believe that there aren’t satisfactory methods for evaluating whether code is safe. Without built-in security protections, developers must rely on manual code reviews of complex, interdependent software packages, or third-party scans and audits that introduce additional complexity into developer workflows. Who might want to attack your application? If they tried, how would they succeed? Answering these questions is an important exercise that helps you understand how to keep your application secure, so you can sleep at night. Adam will discuss what threat modeling is and how to build threat models for development organizations and applications. And because npm is such a critical part of how developers build JavaScript applications, Adam will demonstrate how npm fits into threat models and how to use npm's tools to keep your JavaScript secure. Adam will also discuss the July 2018 “es-lint” incident, in which npm prevented a potential security event made possible when a developer re-used an old password.