TypeScript.fm - The Friendly Show for TypeScript Developers

Building Secure TypeScript Applications | Liran Tal | Ep 28B

Listen Later

Liran Tal (lirantal.com) from Snyk joins us to dive deep into writing secure TypeScript applications. What's different compared to vanilla JavaScript security? Will schema validators fix all our woes? Can't we let LLMs find and fix security vulnerabilities? Liran educates us about the pitfalls and risks with misplacing trust in TypeScript and LLMs and what we can do to write more secure code.

Chapters

  • (00:00) - Introducing Liran Tal
  • (02:56) - What's Special About TypeScript Security vs. JavaScript Security?
  • (04:23) - Misplacing Trust in Types
  • (05:49) - Practical Examples of TypeScript Security Issues
  • (08:43) - Why Does TypeScript Security Matter?
  • (10:23) - TypeScript is Not a Security Tool
  • (11:14) - How Does HTTP Parameter Pollution Work?
  • (12:45) - Ways to Mitigate Parameter Pollution
  • (15:44) - Schema Validators Won't Always Save You
  • (16:51) - How Prototype Pollution Works
  • (18:23) - Exploiting Schema Validators Through Prototype Pollution
  • (21:50) - Mitigating Prototype Pollution Risks
  • (25:21) - Consequences of Prototype Pollution
  • (27:23) - Ways to Safely Merge Objects
  • (30:03) - How Can TypeScript Developers Improve Their Security Posture?
  • (33:17) - How Do LLMs Impact Secure Coding?
  • (39:11) - Misplacing Trust in AI-Generated Code
  • (41:10) - Can LLMs Review and Fix Secure Code?
  • (45:57) - So We're All Doomed, Right?
  • (48:31) - Bonus: Game Development as a Teaching Tool
  • (54:48) - Where to Find Liran

    • Links
    • Liran's website and blog
    • Talk: Friend or Foe? TypeScript Security Fallacies
    • Course: Node.js Security Course
    • Book: Essential Node.js Security
    • Book: Serverless Security
    • Tool: npq (welcoming contributions!)
    • https://github.com/lirantal/is-website-vulnerable
    • Game: Dependency Frost
    • Paper: Are AI-generated fixes secure? (July 2025)

    Sponsored by Excalibur.js
    Excalibur.js is the friendly TypeScript game engine for making 2D web games. Use your TypeScript or JavaScript skills to make games! Excalibur comes out-of-the-box with everything you need to make web games, like physics, sprites, animations, sound effects, input, and particles. Design your assets with tools like Aseprite and Tiled, then load them natively using first-party plugins.

    Music
    Seahorse Dreams by Kubbi (Spotify)

    ...more
    View all episodesView all episodes
    Download on the App Store
    TypeScript.fm - The Friendly Show for TypeScript DevelopersBy Kamran Ayub and Erik Onarheim
    • 4.8
    • 4.8
    • 4.8
    • 4.8
    • 4.8

    4.8

    6 ratings

    More shows like TypeScript.fm - The Friendly Show for TypeScript Developers

    View all
    Software Engineering Radio - the podcast for professional software developers by team@se-radio.net (SE-Radio Team)

    Software Engineering Radio - the podcast for professional software developers

    273 Listeners

    Modern Web by Modern Web

    Modern Web

    12 Listeners

    JavaScript Jabber by Charles M Wood

    JavaScript Jabber

    62 Listeners

    Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

    Syntax - Tasty Web Development Treats

    985 Listeners

    Practical AI by Practical AI LLC

    Practical AI

    212 Listeners

    Last Week In AWS Podcast by Corey Quinn

    Last Week In AWS Podcast

    79 Listeners

    PodRocket by LogRocket

    PodRocket

    61 Listeners

    Oxide and Friends by Oxide Computer Company

    Oxide and Friends

    67 Listeners

    Front-End Fire by TJ VanToll, Paige Niedringhaus, Jack Herrington

    Front-End Fire

    11 Listeners