Roadmap for 2019-2020

[UlisesGascon]

Hi all!

In the last months we were focus on improve the codebase with tests, mostly e2e test and CI.

Now we are more confidents on the source code and it's easier to validate PRs and merge new contributions. I think is a good time to discuss about the roadmap for NodeGoat in the following months.

Right now we are close to publish release 1.4 that includes (e2e and ci). I just want to suggest some possible targets for the following releases.

Release 1.5

Main goal:

• Improve source code

Pending PRs (Update/review):

• [x] change app.csp() with contentSecurityPolicy() #119
• [ ] replace helmet.xframe() with helmet.frameguard(), xframe is deprecated #118
• [ ] Adding secondary /api/login route for JSON user login processing #91
• [ ] Upgrade dependencies #169

Targets:

• [x] #156 (asg: @servatj) Forever is not in use, let's move to Nodemon as npm script
• [x] #150 (asg: @UlisesGasconMigration to node 12 (support for Node 12|10|8)
• [x] #151 (asg: @UlisesGascon) Add CONTRIBUTING Guide and CoC (PR #177)
• [ ] #157 (asg: @flippedcoder) Migration from Swig Deprecated to ejs
• [ ] #152 (asg: @lucas1004jx @UlisesGascon )Migration to es6+ (PR #185)
• [ ] #153 Upgrade dependencies to secure latest versions in package.json, see: #82
• [ ] #149 (asg: @servatj) migration from Grunt to npm scripts
• [ ] #154 (asg: @carlosAzaustre @UlisesGascon) Harmonize the JS Style with Standard and Prettier
• [ ] #155 (asg: @UlisesGascon) Let's add git hooks for linting and testing with Husky
• [ ] #158 (asg: @PeterWunderlich) Migration from bcrypt-nodejs Deprecated to bcrypt
• [ ] #159 Improve Cypress and travis scripts, like cy.exec validation
• [ ] Migration from Mocha to Jest and add Unit tests
• [ ] We need a definitive cool super-fancy logo! 💪
• [ ] Let's simplify the configuration steps
• [ ] Update README and relevant documentation
• [ ] Let's add multi-language support for The Tutorial Guide, this will help the use of Nodegoat as a very effective workshop tool for non-english speakers
• [ ] Include ZAP testing in CI workflow, See: #34 and The Guide
• [ ] Migration to purpleteam suggested by @binarymist in issue #142
• [ ] Add code review checklist #37
• [ ] Example / Implementation for noSQL Injection #90 by @lirantal
• [ ] Autogenerate documentation (Readme.md, dependencies...). Assigned to @UlisesGascon
• [ ] Let's include codeclimate

  Release 1.6

Main goal:

• Refresh to OWASP 2019
• Let's refresh the technology that we use :muscle:

Targets:

• [ ] #180 Implement REST API endpoints
• [ ] #181 Implement Client Side Rendered UI with React
• [ ] #182 Implement Auth for REST endpoints
• [ ] #183 Demonstrate API security issues. See
• [ ] #184 Tutorial and hands on labs guide for securing REST endpoints

Open Questions && Discussions

Main goals/ideas suggested by @ckarande:

• Upgrade to the latest OWASP Top 10 (#99)

  Honestly, I didn't find certain new additions to OWASP top 10 2017 very relevant to Node.js usage (e.g, not many Node.js users deal with XML) but in the sprit of demonstrating the top 10, it could be worth explaining / incorporating the latest OWASP top 10 list. I would like to retain some of the existing vulnerabilities from the OWASP Top 10 2013 version that are not in the 2017 version (such as CSRF, Insecure Redirects, etc) . So we can make two sections on the tutorial site - OWASP Top 10 2017, and Beyond OWASP Top 10.

• Provide versions that are close to real world Node.js usage

As you may know, current version of Nodegoat uses templates for rendering UI and cookie based stateful session. This architecture is good for beginners to have the least resistance to start diving into the security specific concepts. However, I would like to provide two additional versions of NodeGoat that are close to real world Node.js apps and demonstrate security vulnerabilities in the context of these architectures:

• Architecture 2: Using client side rendering with React (or Vue/Angular) and stateless session management using JWT. As part of this upgrade the UI build system to use webpack / UI framework specific build CLI.
• Architecture 3: various services broken down into individually deployable micro services. Also check: #38

If we have a clear roadmap it will super easy to reclute contributors and provide them a clear path to follow :-)

I will try to setup a local Hackathon in Madrid to reclute new contributors and close some issues 👍

In order to keep all smooth and simple to review, I will suggest to work using issues per feature and link those issues to small PRs and commit using GitFlow (branches per release) so we can concentrate all the PRs per release. And then a final PR from the release branch to the master in order to upgrade package version and deploy in Heroku.

What do you think? Do you agree for the targets/items for release 1.5? I think that we need to discuss a lot for 1.6 as now it is very conceptual

[ckarande]

A very good compilation of next tasks and release roadmap. It looks good to me.

I just created release 1.4 and we are all set to start rolling out tasks you listed for Release 1.5. I agree that items for 1.5 are well defined and we can proceed with those. As we proceed, let's create issues for each item in the list and add it to corresponding milestones.

I have added you to the list of collaborators for the project 🎉🎉. Thanks for your contributions and looking forward to work together to make NodeGoat even more valuable resource for the community.

[UlisesGascon]

thanks a lot @ckarande !! 🤗

Can you add me extra rights for manage issue label creation and milestone assignation? maybe projects, too? :-)

[ckarande]

Of course. Can you please check if you have the necessary rights now.

[UlisesGascon]

Oh yeah! Now it is perfect ^^ . Thanks a lot @ckarande !

[UlisesGascon]

Hi all!

I just added new issues for release 1.6 and rename this issue for 2020.

I will try to expend some time the following two weeks to remap the current status for 1.5 and push some code to speed up the release.

[ckarande]

Sounds great. Thanks @UlisesGascon

[binarymist]

May be worth updating the checklist? purpleteam has been testing NodeGoat for several years now