At Fidelity we have several security/quality checkpoints across many departments to validate that applications and platforms protect customer data. Security code reviews, penetration test, risk audits, legal compliance and many other factors go into signing off on an application. Fidsafe is a new virtual safe deposit box offering by Fidelity that is the first application to be served outside the Fidelity firewall on the cloud. Fidsafe challenges every aspect of how the organization builds and deploys software. We had to answer a lot of questions and provide practical tooling/solutions to get Node into production.
We will cover what it takes from top to bottom build and operate a secure and scalable service backend implemented in Node.js and deployed to AWS. Topics covered:
1.) Node Process Management
* Lifecycle management -- Upstart and Forever
* Smart defaults for scalability and uptime
* Reactor — How we use cluster to scale across cores
2.) Hardened Express
* Layering security using middleware
* Strategies for bulletproof cookies
* SSL termination strategies
* Authenticating end-users and API consumers
3.) Building a Secure PaaS — A brief overview
* If you want it to be secure you have to build your own. What's the minimum you need for Node?
* Devops in across organizational boundaries — AWS, Python, Boto, AMIs, and Asgard
* Ubuntu as PaaS — real solutions are diverse and polyglot