Liran Tal (lirantal.com) from Snyk joins us to dive deep into writing secure TypeScript applications. What's different compared to vanilla JavaScript security? Will schema validators fix all our woes? Can't we let LLMs find and fix security vulnerabilities? Liran educates us about the pitfalls and risks with misplacing trust in TypeScript and LLMs and what we can do to write more secure code.
Chapters
- (00:00) - Introducing Liran Tal
- (02:56) - What's Special About TypeScript Security vs. JavaScript Security?
- (04:23) - Misplacing Trust in Types
- (05:49) - Practical Examples of TypeScript Security Issues
- (08:43) - Why Does TypeScript Security Matter?
- (10:23) - TypeScript is Not a Security Tool
- (11:14) - How Does HTTP Parameter Pollution Work?
- (12:45) - Ways to Mitigate Parameter Pollution
- (15:44) - Schema Validators Won't Always Save You
- (16:51) - How Prototype Pollution Works
- (18:23) - Exploiting Schema Validators Through Prototype Pollution
- (21:50) - Mitigating Prototype Pollution Risks
- (25:21) - Consequences of Prototype Pollution
- (27:23) - Ways to Safely Merge Objects
- (30:03) - How Can TypeScript Developers Improve Their Security Posture?
- (33:17) - How Do LLMs Impact Secure Coding?
- (39:11) - Misplacing Trust in AI-Generated Code
- (41:10) - Can LLMs Review and Fix Secure Code?
- (45:57) - So We're All Doomed, Right?
- (48:31) - Bonus: Game Development as a Teaching Tool
- (54:48) - Where to Find Liran
LinksSponsored by Excalibur.js
Excalibur.js is the friendly TypeScript game engine for making 2D web games. Use your TypeScript or JavaScript skills to make games! Excalibur comes out-of-the-box with everything you need to make web games, like physics, sprites, animations, sound effects, input, and particles. Design your assets with tools like Aseprite and Tiled, then load them natively using first-party plugins.
Music
Seahorse Dreams by Kubbi (Spotify)
