Presentation: Making Npm Install Safe

Track: Pushing the Web Forward: JavaScript, Frameworks, Transpilers, and WebAssembly

Location: Pacific LMNO

Duration: 1:40pm - 2:30pm

Day of week:

This presentation is now available to view on InfoQ.com

Watch video

Abstract

There’s a JavaScript package for everything. But installing a random package is a security nightmare: the installed package can access your data and send it over the network without anyone ever knowing.

But there’s hope! This talk will discuss how to minimize the risks of running third-party JavaScript. We’ll go over POLA, the Principle of Least Authority, and how object capabilities can help us grant specific, limited resources to third-party code. We’ll also cover the current efforts to enforce security boundaries in JavaScript: SES (Secure ECMAScript) and Realms.

Speaker: Kate Sills

Software Engineer @agoric

Kate Sills is a software engineer at Agoric, building composable smart contract components in a secure subset of JavaScript. Previously, Kate has researched and written on the potential uses of smart contracts to enforce agreements and create institutions orthogonal to legal jurisdictions. Kate earned her degree in CS from UC Berkeley, and is building a tiny house in her spare time.

Find Kate Sills at