Security not a priority?

tab00 · November 27, 2015, 5:57am

My Meteor app stores monetary balances, so it needs to be extremely secure.

There have been some highly publicized incidents of security breaches of big or well-known systems this year. Here is CNET’s summary as part of their “CNET’s 2015 tech turkeys” report:
Our sense of security? Gone like the first serving of potatoes and gravy

So far we haven’t heard of any Meteor apps being hacked yet, but it may just be a matter of time (or they’ve gone unreported). If a Meteor app holds a monetary balance and becomes popular, it will definitely become a prime hacking target.

If a hacking attempt does succeed and news gets out, the reputation of Meteor may be damaged, possibly irreparably, which would then affect all of us Meteor proponents, not just the company who owns the app, because future uptake and support of Meteor by businesses and community may diminish.

So I think much more attention needs to be given to Meteor app security. Just doing a search for “security” in this forum does not produce many results. Maybe it’s because most current apps don’t deal with money yet. I think it’s far more important than most other issues, e.g. the Blaze vs. React debate.

MDG should have full-time “white hackers” constantly trying to find security holes. Do they?

tab00 · November 27, 2015, 6:14am

Pete Corey does a relatively good job (well there’s not much to compare to) of writing about security at http://blog.east5th.co. We need much more of this, and ideally it should come from MDG themselves. Not every Meteor developer would know about Pete Corey’s blog, yet they all should follow many of the guidelines mentioned there.

serkandurusoy · November 27, 2015, 11:15am

Meteor actually did invest heavily on security with both core authentication, and the more intricate details involving mongodb itself (even sent in PR’s fixing security holes on mongodb). They also recently introduced rate limiting.

@pcorey writes a lot about meteor security and almost all his suggestions revolve around leveraging already existing meteor tools and using them in sensible defaults in terms of security.

So it is kind of unfair when you ask this question, implying security is not a priority.

But security is a broader subject that pertains to not only meteor but the overall stack and ecosystem is runs on top of. So in that sense, yeah, neither the community nor mdg itself have been much vocal about security. It is not that it is dismissed, it is fairly mature and there are other parts of the plaform that gather attention.

ahref · November 27, 2015, 1:00pm

I would advise contacting Pete he offers assesments . I’d also advise looking at the clinical meteor track they are doing some fantastic work trying to get FDA and HIPPA compliant applications. Their requirements for security should match or exceed yours. They have some unique packages and techniques to add security.

hwillson · November 27, 2015, 4:53pm

Just to add - if anyone finds a Meteor security vulnerability, don’t forget that Meteor is registered with HackerOne - https://hackerone.com/meteor.

joshowens · November 29, 2015, 4:00pm

Security for a web app is kind of like dealing with Legal issues. You hire a lawyer and rely on them to limit your exposure in situations. MDG has actually spent a lot of time thinking about security in regards to building web apps and Emily Stark did a great job talking about it while she worked at MDG.

I’ve blogged a lot about my real work experience helping clients fix up their apps. You can read here: http://joshowens.me/meteor-security-101/ and here: http://joshowens.me/meteor-security-201/.

I would also invite you to come ask questions at our Meteor Club Q&A on Monday Nov 30th with @pcorey and I: http://ccst.io/e/joshowens115

tab00 · December 2, 2015, 2:06pm

Thank you for the responses.

One of the reasons for my concern is that there aren’t many resources for best-practice guidelines to develop a highly secure Meteor app. Simply instructing the developer to remove the insecure and autopublish packages does not instantly make a Meteor app highly secure.

There also appears to be no explicit claim by MDG that they uphold security of their product as one of their core values or principles. Medium-to-large corporations need explicit assurance of security in order to feel comfortable with going ahead with the technology. The 7 “Principles of Meteor” listed in the official documentation has no mention of security.

Meteor was designed to make it easy to create a cross-platform app with real-time data, and they’ve achieved this, however development of its security seems to be an afterthought or add-on. User accounts was not even part of Meteor’s earlier releases.

From the perspective of security being extremely important, latency compensation is just a gimmick, and I’m willing to do without it in order to achieve higher security (by never using allow/deny). Have MDG acknowledged the risks of using allow/deny?

For Meteor to be taken seriously, especially for apps that are more than just posts and comments (e.g. ecommerce, financial services, financial market trading, supply chain and logistics), everything about its security needs to be actively (instead of reactively) worked on and communicated with the community (instead of developers needing to learn about security from other fellow developers who happen to blog about it). MDG should have full-time employees focused only on Meteor security.

robfallows · December 2, 2015, 2:21pm

This is an outline of the new MDG guide material on security:

https://github.com/meteor/guide/blob/master/outlines/security.md

tab00 · December 2, 2015, 2:22pm

Are bounties offered, and if so, how much?

hwillson · December 3, 2015, 5:53pm

No bounties - but you’ll get a public thanks, followed by the warm and fuzzy feeling that comes from knowing you’ve helped make things right in the world of Meteor.

tab00 · December 4, 2015, 2:48am

So a hacker may decide that it would be more beneficial for them to exploit any discovered security holes for their own gain, because reporting yields them nothing.

MDG’s attempt to save some money by taking advantage of free labor can backfire on all of us who rely on Meteor.

Incentives should be provided to those who find and then report security holes. This should be on top of a dedicated internal security team who are focused on keeping Meteor security rock-solid.

Would any of you feel confident in Meteor enough to create a banking application?

sashko · December 4, 2015, 4:34am

Here’s the finished Security article rough draft!

We take security very seriously at Meteor, we hope it’s secure enough for basically any app you need to build.

corvid · December 4, 2015, 5:41am

Also, a lot of complaints about meteor’s security tend to refer to much older versions of meteor.

Other times, people complain that insecure and autopublish are including by default and claim that’s insecure. It’s really not if you’re any level of careful, considering the console will yell at you anyway.

rozzzly · December 4, 2015, 9:00am

For Meteor to be taken seriously, especially for apps that are more than just posts and comments (e.g. ecommerce, financial services, financial market trading, supply chain and logistics)

Um that’s not where meteor shines. Sure you can create an app for any of those in meteor, but that doesn’t mean its the best tool for the job. What about meteor makes it your ideal candidate for you banking project?

From the perspective of security being extremely important, latency compensation is just a gimmick, and I’m willing to do without it in order to achieve higher security (by never using allow/deny). Have MDG acknowledged the risks of using allow/deny?

Well first off, that’s why you do optimistic UI… Anyways, so, if you don’t really care about/are willing to sacrifice meteor’s core tennates… then why the hell are you using meteor? It’s overkill.

MDG should have full-time “white hackers” constantly trying to find security holes. Do they?

Are bounties offered, and if so, how much?

This should be on top of a dedicated internal security team who are focused on keeping Meteor security rock-solid

###I think you should take up this mantle @tab00!

Hey! Maybe, if you can do write some more vapid diatribes and link us a few more cnet articles, MDG/the—OpenSource—community they’re exploiting can scrounge up a few bucks for yah.

nathanhornby · December 4, 2015, 10:02am

Yea seriously, it’s a real-time framework for web apps - not a pentagon project.

I wonder what frameworks @tab00 is used to working with that hire full time white-hat hackers, a dedicated security team and pay bounties on security bugs? And when did meteor start pitching itself at the financial sector?

Is this satire?

miningsam · December 4, 2015, 11:09am

You probably want to hire a security consultant.

There are no crime-free cities with a huge population rate and continuous traffic. The population on the Internet is in billions, and since you have money involved, you’re a target.

There have been security threats. And most of them have been addressed or have work arounds.

Yup

If a hacking attempt does succeed and news gets out, the reputation of Meteor may be damaged, possibly irreparably, which would then affect all of us Meteor proponents, not just the company who owns the app, because future uptake and support of Meteor by businesses and community may diminish.

It depends on the response team. With Galaxy, MDG has SLA’s and such, which would address such threats quite fast. Also the community sits on top of such things - which includes security oriented people.

A forum is a discussion platform. Try clicking this link. I’ll bet that will give you some insight right away.

I think that the developers of MDG active already on the forum have a good sense in matters of security. I believe that if you are having a successful money making app, you should perhaps hire a white hacker. I think the security needs you have are worth the investment of a security audit. And if you do, I’d love to see your findings here.

Not leave you in the cold here:

There are various popular attacks: denial of service (ddos), session hijacking (xss), data theft (sniffing), identity theft (spoofing), network penetration (firewalking to backdooring), privilege escalation (rooting), reputation attacks (defacing). Most of these are coupled to infrastructure strategy and authentication. In your case, I would be targeting the database.

Active policies and access control are here in place, not the Meteor platform in general. Your SPA is as secure as your weakest core developer.

So here are my free tips:

Stay aware: nodesecurity.io - nodesecurity Resources and Information.
Stay ahead: https://snyk.io/
Fortify: https://meteorhacks.com/xss-and-meteor
Encryptify: http://blog.east5th.co/2015/08/23/hijacking-meteor-accounts-by-sniffing-ddp/
Readify: https://docs.mongodb.org/manual/administration/security/

Some koans:

Don’t trust anyone, anything from anywhere until they went through your gate keeping logic (and still be cautious)
Employ tripwire (this is an actual security practice), and risk management strategies to quickly respond to integrity issues. This is more a strategy field than a technology field.
Protect the users with identity rules (strong passwords additional security measures) anywhere in your app that would require transactions.
No matter how safe your application, Meteor or the transmission of data is - there are hackers who use social engineering, thrashing, keylogging and other evils. Remember that most of your end users are not specialists in the field of technology.
All you can do is wearing out your attacker by making it unfeasible to attack.

rozzzly · December 4, 2015, 11:10am

> clearly has never visited github

###In all due seriousness,
that’s not to say that meteor apps can’t be quite secure, or at the same time, that, meteor does have some legitimate security concerns that have to be considered. @corvid’s comment is quite poignant, most of the blog posts about meteor security at the top of google were written months, if not years ago.

This is what Meteor gives you.

They got all the things you need, but its a bit rough around the edges. But, everything is sturdy. They even threw in windows! But it’s not their fault if you don’t install/use the windows’ lock. They even give you the instruction manual!

MDG would have a problem if I could go outside, punch a hole through the siding, then tear my way in though the wall. But that’s not the case…

@tab00 if you’re trying to build a bank, you don’t just put down carpet in this room, add some desks and call it day! If you’re a bank, you want steel reinforced concrete walls. If you want, you can do that with meteor! But, it just doesn’t come out of the box. You don’t have to go crazy though; start by taking your drill and putting some iron bars on the outside of that window, then move on from there… ssl I mean…

bleh enough analogy

It’s not that hard to get something running that is pretty damn secure

HTTPS (forced preferably)
strong validation of user input
separation of server and client data AND code
- meteor is isomorphic, that means the client can do Right Click-> View Source and see like half of the code your app is running on. Out of the box, this is a pretty big issue for something like your proposed app. But you can split the code into /client, /both, /server. Try to keep the both category as slim as possible.
- mongo + subscribe/publish doesn’t map as well as say a traditional RDBMS for storing sensitive information. You really got to think about exactly what needs to be published,
  *-never trust any data from the user, with meteor you live in a glass house (sorta) so a malicious user can poke around and find a bug in your logic, send in data that exploits that.

Edit: Listen to @miningsam, he’s got a lot pretty comprehensive list of some of the issues you’ll run into / want to protect against.

I don’t know what your app involves, maybe meteor is a good fit for it. But don’t come here and say:

MDG’s attempt to save some money by taking advantage of free labor can backfire on all of us who rely on Meteor

fuckthat.jpg

MDG is far from perfect, but they’re not trying to exploit us! this is an OPEN SOURCE project, go look that up.

miningsam · December 4, 2015, 11:16am

That appartement image with header is absolutely brilliant.

miningsam · December 4, 2015, 11:34am

Are bounties offered, and if so, how much?

If you, @tab00 submit security vulnerabilities to Hackerone, which are recognized by MDG as security threats, combined with a security article covering 1) a viable POC 2) a workaround/solution, I’ll be more than willing to pay you a bounty. I am not a member of MDG in any kind, but I am a big fan.

sashko · December 4, 2015, 7:03pm

Glad you asked. The security guide we just finished says to not use allow deny. Great news! Meteor methods also have optimistic UI!

It’s been a very deeply held misconception in the community that there is some sort of tradeoff between optimistic UI and security. That couldn’t be farther from the truth. I’m going to come out and say it right now, there is no tradeoff, use methods every single time.

It was kind of a historical thing - Meteor actually had allow/deny before methods - they were a new feature introduced in Meteor 0.2.0.