Pre-launch Security Review


#1

We are in the pre-launch phase for an application we built on Meteor. We love Meteor!

During the development process, we followed a number of security guideline including those outlined here http://security-resources.meteor.com and the presentations/updates from Emily Stark.

We made extensive use of these 2 packages:

  • audit-argument-checks
  • browser-policy-content

We conducted an internal security review and found a couple of issues. The most notable was that our OAuth tokens were not encrypted in the database. To rectify that problem we implemented this package https://atmospherejs.com/meteor/oauth-encryption.

We are now ready for some external individual/company to access and help us improve the security of our application.

I’m not clear on the process we should follow or who would be best qualified to do this? Any suggestions on how we can approach getting external help.

Thanks,
Albert


Meteor Security
#2

Hi Albert -

Thanks for the question! I’m glad you asked. We were also discussing this recently at a Meteor group chat - I am also in a security-sensitive area, and would like at a minimum to keep the site from getting pwned by script kiddies.

A few of us brainstormed solutions, everything from the small-and-automated (for example, a website that you can point to your page, and it gives you a dashboard of all the Collection data that’s exposed, all the user data it finds, etc.), all the way up to a whole new startup that does security auditing for Meteor specifically (white-box, looking at your method code, your mongo implementation, etc.).

It would be great if MDG could add a Security tag/group/whatever for discussions on the topic.

So, unfortunately I think right now there is no out-of-the-box go-to answer, but if you’d like to discuss maybe a tit-for-tat, like we pen-test your server and you pen-test ours or something, at least it’s a start…? (And if you decide to start the Meteor Security company, let me know your rates. :wink:


#3

I’ve talked about this on my blog: http://joshowens.me/meteor-security-101/. Some of it may seem obvious, but I found a lot of these things in production apps from funded startups.

I am happy to help do a security audit, I have done a few of them.


#4

We are as well about to launch something exiting.

I am considering trying out https://www.crowdcurity.com/ or https://bugcrowd.com. I have not tried this before so I can´t share any experiences yet.

I will try to share any interesting findings and hope to hear about yours .

Best regards,
Lars


#5

We have been using this document written by Bob Auger https://developers.box.com/application-security-guidelines/ by box.com as a guide. It gives a pretty detailed list of things to consider and a link to a reference that describes the issue in great depth.

Going through document has been helpful for us. Having a similar checklist style document with references focused specifically on Meteor/Mongo applications would be even better, but this is a good start.

Thanks,
Alan


#6

We are also considering using companies like the ones you listed that use bug bounties. Before engaging them, we are trying to complete our internal assessment and hardening.

What would be interesting to have is a document that says we passed a security audit of some kind. Do those companies provide that as part of their service?

Be great to hear about anyone’s experiences.

Albert