San Francisco — November 9, 2017 – NodeSource, the Node.js® company, and Sqreen, a SaaS security monitoring and protection solution, today announced the results of a joint developer survey. The survey of nearly 300 CTOs, CIOs and developers revealed that, while the developer community fully understands the risks of operating in the open internet and the complexities of building reliable, secure code, developers are not taking advantage of tools that can identify and mitigate threats.
Apps Are Complex, and Attacks Are Imminent
A majority of survey participants (71 percent)—including 85 percent of CTOs and CIOs—believe that their job requires taking security seriously, and more than a third of all respondents (34 percent) believe there is a strong chance their organization will be the target of a large-scale attack in the next six months.
Meanwhile, fewer than half of developers are confident in the code they write and run:
- 60 percent of developers aren't confident in the security of their applications - Only 31 percent feel confident that their code doesn't contain vulnerabilities
As for code written by others, 84 percent of developers are "moderately" or "very" confident in the security of core Node.js, but:
- 40 percent feel that third-party modules pose the greatest risk to application security - Only 16 percent are confident that the third-party modules they use are vulnerability-free
"Our survey results clearly demonstrate that security is a concern for developers—but not a priority," said Joe McCann, CEO of NodeSource. "At NodeSource, we pride ourselves on being a part of the simple solution to this problem."
Given this healthy skepticism about the security of the code they're using, it would seem logical for developers to seek out the best possible tools to help secure their applications. Surprisingly, that's not what happens:
- Fewer than a third (30 percent) of developers combine manual and automatic code reviews to search for flaws - Despite strong concerns about third-party modules, fewer than a third (30 percent) use automated tools to discover vulnerable modules - 40 percent don't even check if there are known vulnerabilities in their third-party dependencies
| How do you make sure your code doesn't contain vulnerabilities? | How do you verify there are no known vulnerabilities in your packages? | | ---------- | ---------- | | Manual code reviews only - 44% | Manual checks - 26% | | Automated code reviews - 13.5% | Automated checks - 30% | | Manual and automated reviews - 30% | Other - 4% | | No code reviews of any kind - 12% | No reviews of any kind - 40% |
Only 35 percent of companies with fewer than 1,000 employees combine both code reviews and automated tools to check for vulnerabilities. Larger organizations make it a bit more of a priority: 62 percent say they do both.
Out of Sight, Out of Mind?
Prevention is a key piece of the security puzzle, but identification and remediation of attacks are also critical. Shockingly, the vast majority of the developers (79 percent) have poor to no insight as to when their applications are under attack. When asked how they know:
- 44 percent said they look at logs - 11 percent said they look at an APM tool - 9 percent said they use a SIEM solution - 35 percent said they have no way of knowing for sure
Fewer than a quarter of Node.js developers (23 percent) use any form of real-time protection against attacks.
"Node is revolutionizing development for enterprises, but there is a lot of work to do to ensure the ecosystem remains secure," said Jean-Baptiste Aviat, Co-Founder and CTO of Sqreen. "Developers have a wide array of security tools at their disposal that they are simply not using. We have more work to do evangelizing the importance of security tools for the health of the Node ecosystem."
Sqreen is a leading application security solution, delivering SaaS-based security monitoring and protection solutions to improve data security at scale. With its unique in-app technology, Sqreen delivers a fully automated security solution that adapts to the security needs of each application in real time. With Sqreen, engineering teams can integrate a powerful protection solution against intrusions and data loss without slowing their development cycles down. Founded by former security experts at Apple, Sqreen protects hundreds of apps and companies like Algolia, Front, Toptal, and Helpling. For more information, visit https://www.sqreen.io/.
NodeSource is a technology company dedicated to delivering enterprise-grade solutions in support of a sustainable ecosystem for the open source Node.js project. We aim to drive and expand the Node.js ecosystem by providing best-of-breed solutions that specifically target the needs of businesses deploying Node.js. Customers include NASA, Uber, PayPal, Condé Nast, and other progressive Node.js adopters. NodeSource is a privately held company backed by RRE Ventures and Crosslink Capital. For more information, visit NodeSource.com and follow @NodeSource on Twitter.
Hannah Ruark for NodeSource