Liran Tal

View lirantal on GitHub
Israel Israel

Hi lovely human! happy to meet you 🤗 I'm strongly passionate about Open-source software since an early age, and enjoy mentoring, and empowering others in the community. I'm a Senior Developer Advocate at Snyk & Node.js Foundation Ecosystem Security Working Group 🥑 Node.js has been a love at first sight for me since 2014 when I joined to lead development on the MEAN.js framework (https://github.com/meanjs/mean). A big passion of mine is creating Node.js command line applications, and actively advocating for web security through my work at Snyk, OWASP and the Node.js Foundation. ✍️ Author of Essential Node.js Security (http://bit.ly/securenodejs) ✍️ Author of O'Reilly Serverless Security (http://bit.ly/serverless-clad) 🔥 Author of Node.js CLI Best Practices (http://bit.ly/nodejs-cli) 💚 Member of the Node.js Security working group 🥑 DevRel at Snyk.io 🦸‍♂️ Ambassador at JSHeroes & MyDevSecOps

Community Contributions

Speaking (conference/usergroups) / 09-10-2020

jsday 2020

My jsday 2020 session is: Packages for Mass Consumption. Master the delicate nuances and deep impact of your app’s dependencies. Uncover the mysterious ways in which npm dependencies work, the mechanics of lockfiles, and understand the security risks of an entire ecosystem. This talk will unravel multiple dimensions in which our application relies on dependencies, and present best practices for ideal developer experience and team collaboration workflows.
Video/Podcast / 03-10-2020

Black Clouds and Silver Linings in Node.js Security - Liran Tal | Node.TLV 2020

So many things can go wrong in a big and open ecosystem. The value and risk of supply chain security is nothing to underestimate. In this session I'm hoping to help developers understand these concerns. This is my talk: Black Clouds and Silver Linings in Node.js Security With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how malicious npm packages work, how to avoid them and apply npm and Node.js security best practices every developer should know with hands-on live hacking.
Video/Podcast / 11-01-2019

ReactiveConf 2019 - Liran Tal: StrangerDanger: Finding Security Vulnerabilities Before They Find You

Open-source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user’s data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. I believe the Stranger Danger talk would fit really well on the Security track, and I can add more of my own input and flavor to it from my workaround open source security with the work I’m doing in the Node.js Security WG too. With all, that’s been happening in the security field and that has been affecting javascript developers, whether they are on the frontend or backend, I believe the security talk would be awesome as it includes a lot of live hacking too.
Article/Publication / 10-30-2019

JavaScript frameworks security report 2019

I authored the report that compares JavaScript frameworks security in-depth on different aspects, one of the leading and only reports of it's kind. We highly recommend to download the full version of the report in its digital format, but have also made the following general sections available as blog posts: The report includes the following topics of interest based on the data-points that were analyzed: * Angular vs React: Security Bakeoff 2019 * 2019 Side by Side Comparison of Angular and React Security Vulnerabilities * Angular vs React: The Security Risk of Indirect Dependencies * Comparing React and Angular Secure Coding Practices * 84% of all websites are impacted by jQuery XSS vulnerabilities
Speaking (conference/usergroups) / 10-29-2019

Open Source Summit Europe

Liran Tal on The State of Open Source Security. This session will take a lively look at the open source security landscape, focusing on findings from a recent report revealing that vulnerabilities in RHEL, Debian and Ubuntu rose four-fold in 2018, as compared to 2017. It also revealed that of the top ten most popular default Docker images contained at least 30 vulnerable system libraries. We'll talk about the importance of shifting security left and where bugs tend to exist in a dependency tree, as well as more insights. There will also be some live hacking of vulnerable open source libraries!
Video/Podcast / 10-18-2019

JSConf Budapest 2019 - Node.js security

Engaging with developers about the importance of Node.js security in a session I gave at JSConf Budapest in 2019 - StrangerDanger: Finding Security Vulnerabilities Before They Find You! Open source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.
Video/Podcast / 07-05-2019

Black Clouds and Silver Linings in Node.js Security - LIRAN TAL

Speaking session at OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. Liran has been advocating for Node.js and JavaScript, through core lead for the MEAN.js framework, docker container tool Dockly, and author of several npm packages.He’s a member of the Node.js Security WG, the author of Essential Node.js Security.
Speaking (conference/usergroups) / 05-21-2019

Liran Tal - Stranger Danger: Finding Security Vulnerabilities Before They Find You!

StrangerDanger: Finding Security Vulnerabilities Before They Find You! Open source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user’s data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.
Article/Publication / 02-20-2019

The State of Open Source Security 2019

I authored Snyk's annual State of Open Source Security 2019 which brings together data from GitHub projects, Snyk's internal database and other user-submitted survey to create a picture of how open source security is performing for 2019. This is Snyk's top report every year for the industry and helps developers, and managers alike understand the key trends and action items they should take based on industry aggregated data and security insights that we uncover in this report.