Transcript

Hey, welcome back! This is a point-and-clicky demo of how to install the CSF Profile Assessment database out here on GitHub under CPA to Cyber Security CSF Profile.

So if I scroll down a little bit, we've got an introduction to the tool. It's designed to help organizations implement and assess their cyber posture according to CSF. We already knew that. Let's get to the pointy clicky right here: Installation and setup.

So I've got a terminal open. I'm using VS Code. You could also just use the terminal on a Mac or, you know, various options. I grab where to get clone the thing from, drop it in, and hit enter. That's it. Not a very big file.

Now we need to install the dependencies. So I'll do npm install. We've got the dependencies. And so now we start the React database. And it's spinning up in a browser. I'll bring it over now.

So here it is in Safari, just like I showed you with Dr. Oer. The address is localhost 3000. And that's it!

Hey, actually that's not it. There's one more thing. Our focus here being cyber security, we should probably talk about those software vaults that popped up when I went to install npm. And you're likely to see that happen as well when you go to download this package. So very common in JavaScript development.

And the bottom line here is that the eight I'm seeing on my screen here are all development dependencies, which don't pose a material risk to my use of them on a Mac in a local deployment. And I don't think they'd pose a risk to you either. However, I do welcome feedback from the community so we can all make sure that, you know, we protect and enable each other.

So typically in JavaScript development, or any development, you see something like this, it doesn't necessarily mean you need to panic when you see six high, two moderate. You need to understand more details of what is the context that is being used for our deployment.

So for my comfort level, to understand what I'm seeing here and whether it applies to my app, I look for nth check, CSS select, sv go as the react scripts being used, and opening up the JSON package: cat package.json JSON. We look at the scripts being used: React scripts start, build, test, and eject. None of the vulnerable ones is in there.

So anyways, that's why I think I'm comfortable and you should be too. But let's crowdsource this. And if you have any questions, don't hesitate to ask.