Liran Tal

View lirantal on GitHub
Israel Israel

Hi lovely human! happy to meet you 🤗 I'm strongly passionate about open source software since an early age, and enjoy mentoring, and empowering others in the community. I'm a Director of Developer Advocacy at Snyk & Node.js Foundation Ecosystem Security Working Group 🥑 Node.js has been a love at first sight for me since 2014 when I joined to lead development on the MEAN.js framework (https://github.com/meanjs/mean). A big passion of mine is creating Node.js command line applications, and actively advocating for web security through my work at Snyk, OWASP and the Node.js Foundation. 🚤 Creator of Gigsboat (https://github.com/gigsboat/cli) ✍️ Author of Essential Node.js Security (http://bit.ly/securenodejs) ✍️ Author of O'Reilly Serverless Security (http://bit.ly/serverless-clad) 🔥 Author of Node.js CLI Best Practices (http://bit.ly/nodejs-cli) 🦸‍♂️ Ambassador at foundations such as OpenSSF, Node.js Foundation's Ecosystem Security working group 🥑 DevRel at Snyk.io

Community Contributions

Open source project / 11-27-2021

react-suspended-vulnerable-application

I built a vulnerable React application that has many security issues both due to outdated vulnerable dependencies but also due to insecure coding practices. My hope is that this work that I open sourced will be fruitful for developers to skill up on their security knowledge, and in particular in writing secure React codebases. My premise for this open source GitHub repository: Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
Open source project / 11-05-2021

anti-trojan-source

Detect trojan source attacks that employ unicode bidi attacks to inject malicious code. Why is Anti Trojan Source important? The following publication on the topic of unicode characters attacks, dubbed Trojan Source: Invisible Vulnerabilities, has caused a lot of concern from potential supply chain attacks where adversaries are able to inject malicious code into the source code of a project, slipping by unseen in the code review process. For more information on the topic, you're welcome to read on the official website trojansource.codes and the following source code repository which contains the source code of the publication.
Speaking (conference/usergroups) / 10-18-2021

NodeConf - How React Applications Get Hacked in the Real-World

Speaking to frontend developers I hear a lot that they're using modern frameworks like React which secures them by default. This isn't exactly true, so I went ahead and created a talk and a joint open source repository with a demo application that demonstrates common security issues with React applications and how to defend against them. I spoke at NodeConf Remote conference to share the knowledge on the topic. Modern frontend frameworks like React are well thought of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real world.
Article/Publication / 08-20-2021

Web Security: Learning HTTP Security Headers

Now that I've finished my book I made it available on GitHub as open source contents for everyone to scale up their knowledge on HTTP Security Headers. For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well-maintained Node.js package on npm.
Speaking (conference/usergroups) / 06-02-2021

Mastering Node.js best practices for Docker-based applications

OpenJS World 2021 accepted my talk about all the best practices you want to follow to build Node.js containers securely for production. You thought you figured out how to build your Node.js web applications with Docker? you're missing out on a lot. Many articles on this topic have been written, yet sadly, without thoughtful consideration of security and production best practices for building Node.js Docker images. In this session, we'll run through step-by-step production-grade guidelines for building optimized and secure Node.js Docker images by understanding the pitfalls and insecurities with every Dockerfile directive, and then fixing it. Join me and master the Node.js best practices for Docker-based applications.
Speaking (conference/usergroups) / 09-10-2020

jsday 2020

My jsday 2020 session is: Packages for Mass Consumption. Master the delicate nuances and deep impact of your app’s dependencies. Uncover the mysterious ways in which npm dependencies work, the mechanics of lockfiles, and understand the security risks of an entire ecosystem. This talk will unravel multiple dimensions in which our application relies on dependencies, and present best practices for ideal developer experience and team collaboration workflows.
Video/Podcast / 03-10-2020

Black Clouds and Silver Linings in Node.js Security - Liran Tal | Node.TLV 2020

So many things can go wrong in a big and open ecosystem. The value and risk of supply chain security is nothing to underestimate. In this session I'm hoping to help developers understand these concerns. This is my talk: Black Clouds and Silver Linings in Node.js Security With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how malicious npm packages work, how to avoid them and apply npm and Node.js security best practices every developer should know with hands-on live hacking.
Video/Podcast / 11-01-2019

ReactiveConf 2019 - Liran Tal: StrangerDanger: Finding Security Vulnerabilities Before They Find You

Open-source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user’s data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. I believe the Stranger Danger talk would fit really well on the Security track, and I can add more of my own input and flavor to it from my workaround open source security with the work I’m doing in the Node.js Security WG too. With all, that’s been happening in the security field and that has been affecting javascript developers, whether they are on the frontend or backend, I believe the security talk would be awesome as it includes a lot of live hacking too.
Article/Publication / 10-30-2019

JavaScript frameworks security report 2019

I authored the report that compares JavaScript frameworks security in-depth on different aspects, one of the leading and only reports of it's kind. We highly recommend to download the full version of the report in its digital format, but have also made the following general sections available as blog posts: The report includes the following topics of interest based on the data-points that were analyzed: * Angular vs React: Security Bakeoff 2019 * 2019 Side by Side Comparison of Angular and React Security Vulnerabilities * Angular vs React: The Security Risk of Indirect Dependencies * Comparing React and Angular Secure Coding Practices * 84% of all websites are impacted by jQuery XSS vulnerabilities
Speaking (conference/usergroups) / 10-29-2019

Open Source Summit Europe

Liran Tal on The State of Open Source Security. This session will take a lively look at the open source security landscape, focusing on findings from a recent report revealing that vulnerabilities in RHEL, Debian and Ubuntu rose four-fold in 2018, as compared to 2017. It also revealed that of the top ten most popular default Docker images contained at least 30 vulnerable system libraries. We'll talk about the importance of shifting security left and where bugs tend to exist in a dependency tree, as well as more insights. There will also be some live hacking of vulnerable open source libraries!
Open source project / 10-22-2019

Gigsboat - Track your speaking activities all within your GitHub opensource repository!

Do you have a boatload of speaking gigs? Use the gigsboat CLI to manage them all via GitHub in the open source way! Gigsboat is a GitHub-driven approach to manage your speaking activities. Anything from podcasts, conference talks to webinars, it's all tracked using an open source repository with automation around it. With Gigsboat you own your data by keeping track of your speaking engagements using simple YAMLs in a GitHub repository, then a GitHub Actions workflow kicks in with a special CLI (@gigsboat/cli), and transforms them into a beautiful markdown format as your repo’s README, and spices it up with visual badges for stats It utilizes a special GitHub Repository Templates to allow anyone to kickstart their own public speaking repo super fast and hassle-free. Here’s my own public speaking repository based on gigsboat: https://github.com/lirantal/public-speaking
Video/Podcast / 10-18-2019

JSConf Budapest 2019 - Node.js security

Engaging with developers about the importance of Node.js security in a session I gave at JSConf Budapest in 2019 - StrangerDanger: Finding Security Vulnerabilities Before They Find You! Open source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.
Video/Podcast / 07-05-2019

Black Clouds and Silver Linings in Node.js Security - LIRAN TAL

Speaking session at OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. Liran has been advocating for Node.js and JavaScript, through core lead for the MEAN.js framework, docker container tool Dockly, and author of several npm packages.He’s a member of the Node.js Security WG, the author of Essential Node.js Security.
Speaking (conference/usergroups) / 05-21-2019

Liran Tal - Stranger Danger: Finding Security Vulnerabilities Before They Find You!

StrangerDanger: Finding Security Vulnerabilities Before They Find You! Open source modules on the NPM ecosystem are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user’s data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.
Article/Publication / 02-20-2019

The State of Open Source Security 2019

I authored Snyk's annual State of Open Source Security 2019 which brings together data from GitHub projects, Snyk's internal database and other user-submitted survey to create a picture of how open source security is performing for 2019. This is Snyk's top report every year for the industry and helps developers, and managers alike understand the key trends and action items they should take based on industry aggregated data and security insights that we uncover in this report.