Hi all!

In the last months we were focus on improve the codebase with tests, mostly e2e test and CI.

Now we are more confidents on the source code and it's easier to validate PRs and merge new contributions. I think is a good time to discuss about the roadmap for NodeGoat in the following months.

Right now we are close to publish release 1.4 that includes (e2e and ci). I just want to suggest some possible targets for the following releases.

Release 1.5

Main goal:

• Improve source code

Pending PRs (Update/review):

• change app.csp() with contentSecurityPolicy() change app.csp() with contentSecurityPolicy() #119
• replace helmet.xframe() with helmet.frameguard(), xframe is deprecated replace helmet.xframe() with helmet.frameguard(), xframe is deprecated #118
• Adding secondary /api/login route for JSON user login processing Adding secondary /api/login route for JSON user login processing #91
• Upgrade dependencies Upgrade dependencies #169

Targets:

• Add nodemon #156 (asg: @servatj) Forever is not in use, let's move to Nodemon as npm script
• Migration to node 12 #150 (asg: @UlisesGasconMigration to node 12 (support for Node 12|10|8)
• We need a CONTRIBUTING Guide and CoC #151 (asg: @UlisesGascon) Add CONTRIBUTING Guide and CoC (PR CoC and contribution guidelines #177)
• Migration to EJS #157 (asg: @flippedcoder) Migration from Swig Deprecated to ejs
• Migration to es6+ #152 (asg: @lucas1004jx @UlisesGascon )Migration to es6+ (PR Migration to ES6 #185)
• Upgrade dependencies #153 Upgrade dependencies to secure latest versions in package.json, see: Low severity vulnerability affecting this repo #82
• Migration from Grunt to npm scripts #149 (asg: @servatj) migration from Grunt to npm scripts
• Harmonize the JS Style #154 (asg: @carlosazaustre @UlisesGascon) Harmonize the JS Style with Standard and Prettier
• Let's add git hooks for linting and testing #155 (asg: @UlisesGascon) Let's add git hooks for linting and testing with Husky
• Migration to bcrypt #158 (asg: @PeterWunderlich) Migration from bcrypt-nodejs Deprecated to bcrypt
• Improve Cypress script #159 Improve Cypress and travis scripts, like cy.exec validation
• Migration from Mocha to Jest and add Unit tests
• We need a definitive cool super-fancy logo! 💪
• Let's simplify the configuration steps
• Update README and relevant documentation
• Let's add multi-language support for The Tutorial Guide, this will help the use of Nodegoat as a very effective workshop tool for non-english speakers
• Include ZAP testing in CI workflow, See: Add test suite and integrate to run on CI #34 and The Guide
• Migration to purpleteam suggested by @binarymist in issue #142
• Add code review checklist Add code review checklist #37
• Example / Implementation for noSQL Injection Example / Implementation for noSQL Injection #90 by @lirantal
• Autogenerate documentation (Readme.md, dependencies...). Assigned to @UlisesGascon
• Let's include codeclimate

Release 1.6

Main goal:

• Refresh to OWASP 2019
• Let's refresh the technology that we use 💪

Targets:

• Implement REST API endpoints #180 Implement REST API endpoints
• Implement Client Side Rendered UI with React #181 Implement Client Side Rendered UI with React
• Implement Auth for REST endpoints  #182 Implement Auth for REST endpoints
• Demonstrate API security issues #183 Demonstrate API security issues. See
• Tutorial and hands on labs guide for securing REST endpoints #184 Tutorial and hands on labs guide for securing REST endpoints

Open Questions && Discussions

Main goals/ideas suggested by @ckarande:

• Upgrade to the latest OWASP Top 10 (Update the project for OWASP Top 10 for 2017 #99)

Honestly, I didn't find certain new additions to OWASP top 10 2017 very relevant to Node.js usage (e.g, not many Node.js users deal with XML) but in the sprit of demonstrating the top 10, it could be worth explaining / incorporating the latest OWASP top 10 list. I would like to retain some of the existing vulnerabilities from the OWASP Top 10 2013 version that are not in the 2017 version (such as CSRF, Insecure Redirects, etc) . So we can make two sections on the tutorial site - OWASP Top 10 2017, and Beyond OWASP Top 10.

• Provide versions that are close to real world Node.js usage

As you may know, current version of Nodegoat uses templates for rendering UI and cookie based stateful session. This architecture is good for beginners to have the least resistance to start diving into the security specific concepts. However, I would like to provide two additional versions of NodeGoat that are close to real world Node.js apps and demonstrate security vulnerabilities in the context of these architectures:

• Architecture 2: Using client side rendering with React (or Vue/Angular) and stateless session management using JWT. As part of this upgrade the UI build system to use webpack / UI framework specific build CLI.
• Architecture 3: various services broken down into individually deployable micro services.
  Also check: Implement reference secure versions of Node Goad app built using different frameworks #38

If we have a clear roadmap it will super easy to reclute contributors and provide them a clear path to follow :-)

I will try to setup a local Hackathon in Madrid to reclute new contributors and close some issues 👍

In order to keep all smooth and simple to review, I will suggest to work using issues per feature and link those issues to small PRs and commit using GitFlow (branches per release) so we can concentrate all the PRs per release. And then a final PR from the release branch to the master in order to upgrade package version and deploy in Heroku.

What do you think? Do you agree for the targets/items for release 1.5? I think that we need to discuss a lot for 1.6 as now it is very conceptual