Node.js Popular With DevOps, But Security Lags
Developers are painfully aware of the risks inherent in deploying applications on the open Internet, but few are using tools designed to secure code and mitigate risks.
A survey released by Node.js JavaScript runtime vendor NodeSource and software security startup Sqreen found that more than one-third of the Node.js developers and executives it polled expect to be hacked. Indeed, many were resigned to large-scales attack over the next six months.
Perhaps reflecting the current harried state of application development, few are confident their code is free of vulnerabilities—an acknowledgment that it is increasingly difficult to remain one step ahead of sophisticated hackers. Sixty percent of developers said they worry about the security of their applications while only 16 percent were confident that third-party modules used in application development are free of vulnerabilities.
Those concerns have been heightened by the greater availability and use of often-buggy open source code, security experts note.
"Our survey results clearly demonstrate that security is a concern for developers—but not a priority," NodeSource CEO Joe McCann, noted in a statement releasing the survey.
Despite widespread worries among developers about code security, the vendors claim DevOps teams have been slow to embrace tools needed to secure applications. Along with the security tools the vendor survey was intended to promote, other AI-based testing tools are emerging to help developers move beyond manual testing to leverage automated continuous testing.
Those requirements are growing as the pace of application releases accelerates from once a month to weekly. Meanwhile, code is often updated several times a day.
The NodeSource/Sqreen survey nevertheless found that only 30 percent of respondents combine manual and automated code reviews to spot known vulnerabilities. The same percentage said they scan third-party code to discover vulnerable modules. Overall, only 35 percent of companies surveyed combine code reviews with automated tools to search for vulnerabilities.
"Developers have a wide array of security tools at their disposal that they are simply not using," added Jean-Baptiste Aviat, co-founder and CTO of Sqreen, a provider of security monitoring software. The startup's founders are former security specialists at Apple (NASDAQ: AAPL).
The survey authors emphasized the growing need for real-time protection to identify and fend off attacks. According to their results, only 23 percent of Node.js developers used any form of real-time threat detection. Most (44 percent) inspect logs while a smaller percentage reported using tools like security information and event management software.
Meanwhile, 35 percent of developers acknowledged they had no way of knowing with certainty when their applications were under attack.
The developer survey is troubling given the growing popularity of Node.js. San Francisco-based NodeSource reported last summer that the JavaScript runtime has gained considerable momentum among developers since going mainstream earlier in this decade.
"Node.js is emerging as the runtime of choice for DevOps," the company asserted.
Related
George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).