NodeSource and Sqreen Survey: Fewer Than a Quarter of Node.js Developers Use Any Form of Real-Time Protection Against Attacks
NodeSource, the Node.js® company, and Sqreen, a SaaS security monitoring and protection solution, announced the results of a joint developer survey. The survey of nearly 300 CTOs, CIOs and developers revealed that, while the developer community fully understands the risks of operating in the open internet and the complexities of building reliable, secure code, developers are not taking advantage of tools that can identify and mitigate threats.
Apps Are Complex, and Attacks Are Imminent
A majority of survey participants (71 percent)—including 85 percent of CTOs and CIOs—believe that their job requires taking security seriously, and more than a third of all respondents (34 percent) believe there is a strong chance their organization will be the target of a large-scale attack in the next six months.
Meanwhile, fewer than half of developers are confident in the code they write and run:
- 60 percent of developers aren’t confident in the security of their applications
- Only 31 percent feel confident that their code doesn’t contain vulnerabilities
As for code written by others, 84 percent of developers are “moderately” or “very” confident in the security of core Node.js, but:
- 40 percent feel that third-party modules pose the greatest risk to application security
- Only 16 percent are confident that the third-party modules they use are vulnerability-free
“Our survey results clearly demonstrate that security is a concern for developers—but not a priority,” said Joe McCann, CEO of NodeSource. “At NodeSource, we pride ourselves on being a part of the simple solution to this problem.”
Given this healthy skepticism about the security of the code they’re using, it would seem logical for developers to seek out the best possible tools to help secure their applications. Surprisingly, that’s not what happens:
- Fewer than a third (30 percent) of developers combine manual and automatic code reviews to search for flaws
- Despite strong concerns about third-party modules, fewer than a third (30 percent) use automated tools to discover vulnerable modules
- 40 percent don’t even check if there are known vulnerabilities in their third-party dependencies
How do you make sure your code doesn’t contain vulnerabilities?
How do you verify there are no known vulnerabilities in your packages?
Only 35 percent of companies with fewer than 1,000 employees combine both code reviews and automated tools to check for vulnerabilities. Larger organizations make it a bit more of a priority: 62 percent say they do both.
Out of Sight, Out of Mind?
Prevention is a key piece of the security puzzle, but identification and remediation of attacks are also critical. Shockingly, the vast majority of the developers (79 percent) have poor to no insight as to when their applications are under attack. When asked how they know:
- 44 percent said they look at logs
- 11 percent said they look at an APM tool
- 9 percent said they use a SIEM solution
- 35 percent said they have no way of knowing for sure
Fewer than a quarter of Node.js developers (23 percent) use any form of real-time protection against attacks.
“Node is revolutionizing development for enterprises, but there is a lot of work to do to ensure the ecosystem remains secure,” said Jean-Baptiste Aviat, Co-Founder and CTO of Sqreen. “Developers have a wide array of security tools at their disposal that they are simply not using. We have more work to do evangelizing the importance of security tools for the health of the Node ecosystem.”
Sqreen is a leading application security solution, delivering SaaS-based security monitoring and protection solutions to improve data security at scale.
NodeSource is a technology company dedicated to delivering enterprise-grade solutions in support of a sustainable ecosystem for the open source Node.js project.