In modern web applications based on open-sourced libraries, often times developers are not aware of just how much dependency there is on risky third-party software packages. Guy Podjarny (pictured), co-founder and chief executive officer at Snyk Ltd., explained how his company is ensuring developers are working with Node.js packages free from security flaws. Node.js is an open-source JavaScript runtime based on Chrome’s V8 engine.

“Snyk deals with open-source security, specifically in Node.js in the world of NPM [Node Package Manager]. NPM is amazing and allows us to build on the shoulders of giants. But there are some inherent security risks with just pulling code off the internet and running it in your application,” Podjarny said. 

Snyk spoke with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during Node Summit in San Francisco.

Dependency on risky code

Podjarny provided an extreme example of how one simple application can be exposed to a potentially large number of security threats.

“It has 19 lines of code, which uses two packages, which in turn uses 19 packages, which bring in 190,000 lines of code.… The majority of code in your application, especially with Node, is not first-party; it’s third-party code. And that means most of your security risk crops up there,” Podjarny said. 

The trend toward server-less computing is driving more risk up the stack into the application space where developers spend more of their time implementing custom code based on NPM packages, Podjarny explained.

“A lot of the lower levels get abstracted away. You don’t need to manage servers or operating systems. With that, a lot of security concerns go away which focuses the attackers on the application.… So platform as a service really increases the importance of dealing with application security well,” Podjarny concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of Node Summit 2017.

Photo: SiliconANGLE