Full stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affair—a key tenet of DevOps culture.

That said, the full stack approach—despite its merits—requires developers to make critical considerations that they wouldn’t have previously, especially when it comes to security and testing. For example, in the past dedicated DBAs or systems administrators might be tasked with validating database security or hardening underlying systems. For full stack developers, these tasks are now open game—subsequently, an overall shift in mindset towards security is necessary for safely developing and delivering software continuously.

Having deep exposure into all layers of the stack puts full stack developers in the front seat for maintaining the application’s security posture. It’s therefore critical that risks and security implications of each constituent technology are fully understood. As a representative example, the MEAN stack is a popular full stack framework streamlined for performance: MongoDB, Express.JS, Angular.JS, and Node.JS. Because all layers of the stack are written in JavaScript, developers need only write application code—front to back, client to server—in JavaScript. And since these developers are also now on the hook for delivering secure web applications, they must also address vulnerabilities and validate all layers of the application for security. But how vulnerable is each layer to being compromised? Let’s take a cursory look inside the MEAN stack to find out.

MongoDB

MongoDB is a JavaScript-friendly, document-oriented NoSQL database that competes with the likes of Cassandra and HBase. In general, for most purposes—MongoDB can be largely used in the same manner as MySQL. Check out our MongoDB vs. MySQL comparison for a full comparison of the two technologies.

A common misconception is that MongoDB is immune to SQL injection-type attacks. While it’s true that MongoDB is not susceptible to SQL language abuses, its JSON documents can still be altered to achieve the same malicious results. Furthermore, MongoDB has had its own share of vulnerabilities—for example, a recently discovered widespread vulnerability gives hackers the ability to remotely crash the database application. Additionally, perusing the Common Vulnerabilities and Exposures (CVE) database reveals a host of security exposures and vulnerabilities for MongoDB.

Express.JS

Express.JS is a server-side web and mobile application framework for Node.JS, similar to what Ruby-on-Rails or Sinatra is to the Ruby language. The framework builds upon Node.JS to provide standard components to streamline development, and is in fact the most widely-used Node.js framework today. Unfortunately, the framework is vulnerable to various injection and cross-site attacks and is susceptible to all of Node.js’s underlying vulnerabilities. The Express.JS site maintains an updated list of vulnerabilities and fixes per version.

Angular.JS

Developed and maintained by Google, Angular.js is a front-end MVC framework that enables modular client-side development with minimal code. The framework is vulnerable to various cross-site scripting attacks—a full list of Angular.js vulnerabilities is available at Mustache Security’s project home on Google Code.

Node.JS

The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?

Node.js enables the building of web applications with extensive server-side and networking capabilities and enables real-time two-way communications between the client and server.  Based on Google’s V8 Javascript engine, Node.js is popular for creating HTTP web servers on the fly. Arguably the defining component of the MEAN stack, Node.js is not without its own vulnerabilities—not only does it inherit all JavaScript-related vulnerabilities, but also gains some new attack vectors while executing on the server side. The CVE database also houses a comprehensive list of Node.JS vulnerabilities.

In short, full stack development may be the embodiment of DevOps, but it nonetheless requires strict adherence to secure application development practices. The MEAN stack, and any stack for that matter—be it LAMP or .NET—requires proper controls for ensuring that security is baked at all phases of development. To this end, UpGuard provides comprehensive vulnerability assessment and monitoring for web applications, databases, servers—regardless of which stack is in use, our platform can scan and validate every layer. 

Sources

https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

https://www.cvedetails.com/product/22804/Nodejs-Nodejs.html?vendor_id=12113

https://code.google.com/archive/p/mustache-security/wikis/AngularJS.wiki

https://expressjs.com/en/advanced/security-updates.html

https://web.archive.org/web/20160518123231/http://blog.fortinet.com/post/widespread-mongodb-denial-of-service-vulnerability-discovered

Ready to see
UpGuard in action?