What is a MEAN stack?
Valued for its versatility in building fast, robust and maintainable applications, MEAN is in high demand.
What Came Before MEAN? LAMP.
Just as Darwin would have predicted, the transition away from LAMP (Linux, Apache, MySQL and PHP) began with the shift to cloud ecosystems. Let’s take a closer look at why LAMP was abandoned for the more suitable MEAN stack for cloud deployments:
Node.js is not just a simple web server. In this case, the web server is included in the application and installed in the MEAN stack. As a result, the deployment process is much simpler because the required version of the web server is explicitly defined along with the rest of the runtime dependencies. This solution also works well within DevOps processes.
JSON Native Speaker
Angular and MongoDB both speak JSON, as do Node.js and Express. The data flows neatly among all layers with no need to re-write or re-format. MySQL’s native format for answering queries is, well, all its own. Of course, PHP already has the code to import MySQL data and make it easy to process in PHP, but that doesn’t help the client layer. And yes, for LAMP veterans it could be a bit minor because there are so many well-tested libraries that convert the data easily, but the process remains inefficient and confusing.
MEAN uses the same JSON format for data everywhere, making it simpler and saving time on re-formatting as it passes through each layer. Plus, JSON’s ubiquity through the MEAN stack makes working with external APIs that much easier: GET, manipulate, present, POST and store all within one format.
Real Full-Stack Architecture
MEAN stack introduces a new type of architecture that was previously more complicated to manage:
- Client-side single-page application (SPA) instead of having server-side page generation.
- With Express, you can still handle server-side routing and page generation, but the emphasis is now on client-side views, thanks to AngularJS.
- You leave a synchronous architecture for an event-driven and asynchronous one.
- Your application is no longer a page-centric view but is component-oriented.
...with a full stack team.
Evolution of MEAN
According to 2018 MEAN trends (1), the community is working on providing new frameworks on top of Node.js/Express. In fact, there are now many robust server-side frameworks to choose from in the Node.js ecosystem like Hapi, Sails, LoopBack and RESTify to name a few.
Last, but not least, MongoDB could be replaced by other NoSQL data storage tools like CouchDB, CouchBase, Cosmos DB, Amazon Dynamo, etc.
The evolution is inevitable, but the MEAN concept remains the same. The technical frameworks could be replaced to better support new constraints like integrating microservices components or be resistant to security vulnerabilities.
Vulnerabilities in The MEAN Stack
Achieving full stack development actually gives one the ability to traverse the entire stack competently, but it also makes interacting and cooperating with operations and security an easier affair. In the DevOps environment it will clearly offer substantially more value to their respective organizations.
One of the toughest challenges for full stack developers is to deliver safe software continuously, always keeping an eye towards security. Having deep exposure into all layers of the stack puts full stack developers in the front seat for maintaining the application’s security posture. It’s therefore critical that risks and security implications of each constituent technology are fully understood. And since these developers are also now on the hook for delivering secure web applications, they must also address vulnerabilities and validate all layers of the application for security. But how vulnerable is each layer to being compromised?
Using MEAN out of the box, what to expect?
By default, the MEAN stack can be considered as fully secured at the front-end and not at all secured at the back-end.
Let’s start with the Front-End; AngularJS and even to a greater extent Angular are coming secured by default. Using the framework components will limit the amount of code. Like all the web client-side frameworks, you are exposed to cross-site scripting attack, but it will require that you intentionally deactivate the security checks and the input validation mechanism. Of course, HTML templating can introduce indirect cross-site scripting vulnerabilities, but it is possible to detect cross-technology injection defects. Regarding the security of the communication and data deserialization, using the AngularJS/Angular official API will give you safe and trustable data to display to the user.
The back-end side is another story. Express.js and Node.js are coming without any preconfigured security options and you need to really take care of it when designing your application. Third-party framework like Helmet provides a set of predefined APIs to quickly secure your server but you will have to manage the secured communication via certificate management, ensuring proper deserialization of incoming data, etc. In addition, you will have to be careful with all the third-party frameworks in the Node.js ecosystem. The CVE vulnerabilities list is updated frequently and requires migration to avoid exposure, but migration could also break API compatibility and your application, you have to work the tradeoffs between potential security threats and functional impact.
Finally, MongoDB will not come secured by default. It is a misconception that MongoDB is immune to injection-type attack. Even if it is not susceptible to SQL language abuses, it can be vulnerable to NoSQL injection through the client API and its JSON document-based interface. Like Node.js, MongoDB API are most of the time managed by third-party libraries that are already referenced in the CVE vulnerability listings.
Evolution for 2019
Last, but not least, microservices architecture will be an additional challenge for the full-stack team. Performance, reliability and security must be considered as a whole. And never stop asking – what do you MEAN?