A survey released today by NodeSource, developers of Node.js, and Sqreen, a SaaS security solution, found that while developers are fully aware of security risks associated with operating in the open Internet, they’re lax in implementing tools for threat detection and mitigation.
The survey, which looked at responses from nearly 300 Node.js users — CTOs, CIOs and developers — found that around 71 percent of respondents believe that their job involves taking security seriously while just over a third believe their organization faces imminent attack.
In spite of this, only 31 percent of developers are confident that their code is vulnerability-free while 60 percent are not confident in their application’s security.
“Our survey results clearly demonstrate that security is a concern for developers — but not a priority,” said Joe McCann, CEO of NodeSource. This is supported by much of the survey’s findings, like how only 35 percent of companies with fewer than 1,000 employees combine both automated and manual code reviews for vulnerabilities. This number is higher, 62 percent, for large companies.
Additionally, 40 percent of respondents felt that third-party modules for their Node.js projects pose the greatest risk to application security, but that 40 percent of respondents don’t even bother to check for known vulnerabilities in their third-party dependencies.
“Shockingly,” the survey showed that 79 percent of developers have little to no way to tell when their applications are under attack, with only 23 percent reporting that they employ any kind of real-time protection.
“Developers have a wide array of security tools at their disposal that they are simply not using,” Jean-Baptiste Aviat, co-founder and CTO of Sqreen, said. “We have more work to do evangelizing the importance of security tools for the health of the Node ecosystem.”
More information is available here.