Liran Tal
Liran Tal
  • Oct 14, 2024

Bun Security course launches for JavaScript developers

I'm genuinely excited to announce the launch of the Bun Security course and with it, a blog and more resources to help you learn about Bun application security 🎉

Bun Security Course Launch

Why am I building this Bun Security resource?

A short while back I was curious at Bun’s security posture, following a prototype pollution hardening pull request that I submitted to the Node.js project. I was curious to see how Bun, a whole new server-side runtime project, would handle such a security issue.

This deep-dive into Bun security aspects led me to some interesting findings and application security insights concerning secure coding and other security best practices.

Bun is still very new, still under very active development and there’s an obvious gap in the educational resources available for JavaScript developers to learn about application security when building Bun applications.

So what’s in store for Bun adaptors?

Bun Security course

Just like my Node.js Secure Coding books, I’m excited to announce and launch a dedicated Bun Security course. Yes, that’s right. I am planning for the Bun Security educational resource to be available as several resource types:

  1. Bun Security book - A high-quality Bun security book that will be available on a digital format via PDF and ePUB and later on in print, via Amazon books.
  2. Bun Security course - An online, self-paced written guide that will have interactive exercises, quizzes, and code snippets you can run in a cloud IDE like GitHub Codespaces.

What should you expect from the Bun Security course?

Security is tough, right? It’s not just security vulnerabilities. I know you’re already overwhelmed with those npm audit reports. Vulnerability fatigue is a thing, I agree. But if we blatantly dismiss everything, we risk everything too. So, what’s the scope of the Bun Security course material?

A focus on secure-by-default and secure-by-design APIs. Both are two highly important aspects set forward by the Open Source Security Foundation (OpenSSF). I’ve found them both to be prevalent in the Bun runtime. Do you know what they are? You’ll learn about them in the Bun Security course.

Secure coding aspects are another high priority. And so teaching you secure coding practices is high on my list of topics as well. How do you avoid common security pitfalls? Bun exposes much of the Node.js API as well. Knowing how to employ these APIs securely is crucial. You’ll learn how to write secure code in Bun, and more importantly, what inherent security vulnerabilities apply to Bun due to JavaScript’s dynamic nature.

Another hot topic in security is the supply chain. Maybe you’ve heard of the XZ Utils backdoor. Maybe you’d even recognize the CVE-2024-3094 report if you saw it. Malware and trojans in open source dependencies are nothing new for JavaScript developers either. How is Bun handling these supply chain security aspects? What protective measures are in place? We’ll explore these these topics and raise awareness on how to secure your Bun applications from supply chain attacks.

I expect even more Bun security content to be added to the course as Bun matures. Exciting times ahead!

Ok, I’m hooked on Bun Security, what’s next?

Awesome! Nothing makes me happier than seeing developers interested in security. If you want to level up, whether you adopted Bun full time or just started playing with it, the Bun Security course is for you. You can now pre-order the Bun Security book and course and considerably advance your JavaScript security skills.