Node.js security: Are developers confident in the quality of their code?
A NodeSource and Sqreen joint developer survey of nearly 300 CTOs, CIOs and developers revealed that, while the developer community fully understands the risks of operating in the open Internet and the complexities of building secure code, developers are not taking advantage of tools that can identify and mitigate threats.
Apps are complex, attacks are imminent
A majority of survey participants (71 percent) – including 85 percent of CTOs and CIOs – believe that their job requires taking security seriously, and more than a third of all respondents (34 percent) believe there is a strong chance their organization will be the target of a large-scale attack in the next six months.
Meanwhile, fewer than half of developers are confident in the code they write and run:
- 60 percent of developers aren’t confident in the security of their applications
- Only 31 percent feel confident that their code doesn’t contain vulnerabilities.
As for code written by others, 84 percent of developers are “moderately” or “very” confident in the security of core Node.js, but:
- 40 percent feel that third-party modules pose the greatest risk to application security
- Only 16 percent are confident that the third-party modules they use are vulnerability-free.
Given this healthy skepticism about the security of the code they’re using, it would seem logical for developers to seek out the best possible tools to help secure their applications. Surprisingly, that’s not what happens:
- Fewer than a third (30 percent) of developers combine manual and automatic code reviews to search for flaws
- Despite strong concerns about third-party modules, fewer than a third (30 percent) use automated tools to discover vulnerable modules
- 40 percent don’t even check if there are known vulnerabilities in their third-party dependencies.
Only 35 percent of companies with fewer than 1,000 employees combine both code reviews and automated tools to check for vulnerabilities. Larger organizations make it a bit more of a priority: 62 percent say they do both.
Out of sight, out of mind?
Prevention is a key piece of the security puzzle, but identification and remediation of attacks are also critical. Shockingly, the vast majority of the developers (79 percent) have poor to no insight as to when their applications are under attack. When asked how they know:
- 44 percent said they look at logs
- 11 percent said they look at an APM tool
- 9 percent said they use a SIEM solution
- 35 percent said they have no way of knowing for sure.
Fewer than a quarter of Node.js developers (23 percent) use any form of real-time protection against attacks.