Full stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affair—a key tenet of DevOps culture.
That said, the full stack approach—despite its merits—requires developers to make critical considerations that they wouldn’t have previously, especially when it comes to security and testing. For example, in the past dedicated DBAs or systems administrators might be tasked with validating database security or hardening underlying systems. For full stack developers, these tasks are now open game—subsequently, an overall shift in mindset towards security is necessary for safely developing and delivering software continuously.
A common misconception is that MongoDB is immune to SQL injection-type attacks. While it’s true that MongoDB is not susceptible to SQL language abuses, its JSON documents can still be altered to achieve the same malicious results. Furthermore, MongoDB has had its own share of vulnerabilities—for example, a recently discovered widespread vulnerability gives hackers the ability to remotely crash the database application. Additionally, perusing the Common Vulnerabilities and Exposures (CVE) database reveals a host of security exposures and vulnerabilities for MongoDB.
Express.JS is a server-side web and mobile application framework for Node.JS, similar to what Ruby-on-Rails or Sinatra is to the Ruby language. The framework builds upon Node.JS to provide standard components to streamline development, and is in fact the most widely-used Node.js framework today. Unfortunately, the framework is vulnerable to various injection and cross-site attacks and is susceptible to all of Node.js’s underlying vulnerabilities. The Express.JS site maintains an updated list of vulnerabilities and fixes per version.
Developed and maintained by Google, Angular.js is a front-end MVC framework that enables modular client-side development with minimal code. The framework is vulnerable to various cross-site scripting attacks—a full list of Angular.js vulnerabilities is available at Mustache Security’s project home on Google Code.
In short, full stack development may be the embodiment of DevOps, but it nonetheless requires strict adherence to secure application development practices. The MEAN stack, and any stack for that matter—be it LAMP or .NET—requires proper controls for ensuring that security is baked at all phases of development. To this end, UpGuard provides comprehensive vulnerability assessment and monitoring for web applications, databases, servers—regardless of which stack is in use, our platform can scan and validate every layer.