Introduction to Nest.js From Security prespective

Introduction to Application Security and Architecture using Nest.js, Node.js , TypeOrm, Swagger(OpenAPI), Docker, Kubernetes/mini-kube.

Nest.js is an opinionated framework for Node.js it offers out-of-the-box HTTP functionality and helps teams develop faster while tackling the common development pitfalls yet remain beginner-friendly. Nest.js is essentially a wrapper for Express or Fastify with out-of-the-box application architecture. It improves on Express which provides the bare minimum for HTTP forcing the developer to implement authentication, authorization, and design patterns such as MVC(Model–view–controller) from scratch which might introduce bugs and security issues. Developers that come from the world of React, Angular and Vue, would feel right at home. Nest.js provides a “soft landing” for team adoption, integrating Node.js libraries and tools helps the developer extend their code with most of what is available in the web development sphere. If we compare extensibility with Springboot(Java) and Maven(.net) the Node.js package community is only matched by python’s PyPI for extending the codebase.

The advantages are transitive to security as well, when the team works cohesively the security could be shifted left better, and integrating security mechanisms into a framework is way way easier than writing everything from scratch.

Assuming a team is already proficient in a framework, the advantages are clear:

• Different approaches of solutions might introduce more overhead and require to communicate every integration and architectural decision. Nest.js solves the issue by providing a unified architecture.

• When the Design patterns are set for you what is left is coding the functionality which helps shipway faster.

• Developer design decisions are feature-based and abstraction of features makes it loosely coupled. This fact also helps to trickle down security guards.

• Easier to test, debug and maintain

• The documentations are solid and informative. From personal experience Nest.js troubleshooting is more streamlined, this stems from the fact that the unified design patterns are all directing the developers towards the same solution space.

• Scale faster and efficiently

It’s also worth pointing out that employing 3rd party dependencies helps ship faster and the extensibility of applications is critical to remain scalable and fluid. But securing applications with a lot of layered (nested) dependencies is not an easy feat, and requires a continuous effort to minimalise security risks during the application life cycle. Some tools are available to expedite and automate this process. We use Snyk in our organization to manage our dependency security and provide some code analysis.

Link to the github repository of the appliaction

Let's put it into practice, we would go through the steps of generating a Nest.js application (add github), to understand how it works, and go over the common pitfalls of security.

To understand common security features we would re-create the best practice approach for authentication, authorization, RBAC, input validation, and database management using an ORM (Object-Relational Mapping) in the Nest.js framework

We would introduce vulnerabilities, see how an attacker might exploit them, why each and every attack is exploitable

We would then introduce basic security mechanism and the steps to mitigate the vulnerabilities

And lastly we would discuss tools to help with the detection of common vulnerabilities. and other security issues