Node.js Popular With DevOps, But Security Lags
Developers are painfully aware of the risks inherent in deploying applications on the open Internet, but few are using tools designed to secure code and mitigate risks.
Perhaps reflecting the current harried state of application development, few are confident their code is free of vulnerabilities—an acknowledgment that it is increasingly difficult to remain one step ahead of sophisticated hackers. Sixty percent of developers said they worry about the security of their applications while only 16 percent were confident that third-party modules used in application development are free of vulnerabilities.
Those concerns have been heightened by the greater availability and use of often-buggy open source code, security experts note.
"Our survey results clearly demonstrate that security is a concern for developers—but not a priority," NodeSource CEO Joe McCann, noted in a statement releasing the survey.
Despite widespread worries among developers about code security, the vendors claim DevOps teams have been slow to embrace tools needed to secure applications. Along with the security tools the vendor survey was intended to promote, other AI-based testing tools are emerging to help developers move beyond manual testing to leverage automated continuous testing.
Those requirements are growing as the pace of application releases accelerates from once a month to weekly. Meanwhile, code is often updated several times a day.
The NodeSource/Sqreen survey nevertheless found that only 30 percent of respondents combine manual and automated code reviews to spot known vulnerabilities. The same percentage said they scan third-party code to discover vulnerable modules. Overall, only 35 percent of companies surveyed combine code reviews with automated tools to search for vulnerabilities.
"Developers have a wide array of security tools at their disposal that they are simply not using," added Jean-Baptiste Aviat, co-founder and CTO of Sqreen, a provider of security monitoring software. The startup's founders are former security specialists at Apple (NASDAQ: AAPL).
The survey authors emphasized the growing need for real-time protection to identify and fend off attacks. According to their results, only 23 percent of Node.js developers used any form of real-time threat detection. Most (44 percent) inspect logs while a smaller percentage reported using tools like security information and event management software.
Meanwhile, 35 percent of developers acknowledged they had no way of knowing with certainty when their applications were under attack.
"Node.js is emerging as the runtime of choice for DevOps," the company asserted.