security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard
verified publisher icon nodejs

Threat Model

Open RafaelGSS opened this issue 3 years ago • 8 comments

This issue is just to keep tracking the work we've been doing in the Security WG. We've created a Threat Model document.

The intention of this document is to list all the current threats and their mitigation for each environment using Node.js. It may change over releases. This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers.

Normally, the discussion around this document happens in the OpenJS Foundation slack (#nodejs-discussion-security-model). Feel free to contribute.

RafaelGSS avatar May 26 '22 13:05 RafaelGSS

Thanks for putting that together!

lirantal avatar May 30 '22 15:05 lirantal

As a possible reference, this is how osquery documents their threat model, along with its considerations for security and the design decisions taken in consequence.

facutuesca avatar Jun 02 '22 13:06 facutuesca

Renaming it as Threat Model as defined in #801

RafaelGSS avatar Jun 02 '22 16:06 RafaelGSS

@facutuesca that's some nice work by osquery. Thanks for sharing.

lirantal avatar Jun 08 '22 19:06 lirantal

Hi folks!

In the last Security WG #822 we've decided to create a separate meeting (next week) to discuss just the Threat Model. The idea is to finish the draft in this meeting and then open a PR for feedback.

I suggest the same time as usual (2 pm UTC) - Monday. For those who want to join, please comment on your preferred email to send the invite. cc: @facutuesca @mhdawson

RafaelGSS avatar Aug 19 '22 14:08 RafaelGSS

I'm on Monday and booked that time the rest of the days, but I could decline what I had accepted for that time on Friday.

mhdawson avatar Aug 19 '22 17:08 mhdawson

@RafaelGSS Is that Monday the 22nd? I'm interested. I could also do Friday the 26th, which I think is the day @mhdawson is suggesting.

I currently have other commitments most Thursdays. This comment proposed meeting every 15 days, which would result in the meeting rotating across days-of-the-week, but it looks like meetings have been being scheduled on Thursdays.

arhart avatar Aug 22 '22 04:08 arhart

Let's do it Friday. Invite link

RafaelGSS avatar Aug 22 '22 11:08 RafaelGSS

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

github-actions[bot] avatar Nov 21 '22 00:11 github-actions[bot]