Express.js Threat Model

[UlisesGascon]

We need to define a solid Threat Model. Initial comment by Wess

Resources

• https://github.com/nodejs/node/pull/45223
• https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model
• https://github.com/kubeedge/community/blob/master/sig-security/sig-security-audit/KubeEdge-threat-model-and-security-protection-analysis.md

[UlisesGascon]

Good news the proposal https://github.com/expressjs/express/pull/5526 in in the oven 🎉

Next step, as discussed with @ruddermann is to prepare a private meeting with the @expressjs/security-triage to cover the details before #6 starts.

So I move the discussion for this to Slack private channel

Relevant links

• https://www.securing.pl/en/how-to-prepare-an-effective-threat-modeling-session/
• https://martinfowler.com/articles/agile-threat-modelling.html

[UlisesGascon]

Current discussion about the Threat Model:

• Regarding prototype pollution context. see
• Regarding Middleware/Plugins/libraries. see