Inside Advanced Scale Challenges|Monday, June 25, 2018
  • Subscribe to EnterpriseTech Weekly Updates: Subscribe by email

Node.js Popular With DevOps, But Security Lags 

(Kalakruthi/Shutterstock)

Developers are painfully aware of the risks inherent in deploying applications on the open Internet, but few are using tools designed to secure code and mitigate risks.

A survey released by Node.js JavaScript runtime vendor NodeSource and software security startup Sqreen found that more than one-third of the Node.js developers and executives it polled expect to be hacked. Indeed, many were resigned to large-scales attack over the next six months.

Perhaps reflecting the current harried state of application development, few are confident their code is free of vulnerabilities—an acknowledgment that it is increasingly difficult to remain one step ahead of sophisticated hackers. Sixty percent of developers said they worry about the security of their applications while only 16 percent were confident that third-party modules used in application development are free of vulnerabilities.

Those concerns have been heightened by the greater availability and use of often-buggy open source code, security experts note.

"Our survey results clearly demonstrate that security is a concern for developers—but not a priority," NodeSource CEO Joe McCann, noted in a statement releasing the survey.

Despite widespread worries among developers about code security, the vendors claim DevOps teams have been slow to embrace tools needed to secure applications. Along with the security tools the vendor survey was intended to promote, other AI-based testing tools are emerging to help developers move beyond manual testing to leverage automated continuous testing.

Those requirements are growing as the pace of application releases accelerates from once a month to weekly. Meanwhile, code is often updated several times a day.

The NodeSource/Sqreen survey nevertheless found that only 30 percent of respondents combine manual and automated code reviews to spot known vulnerabilities. The same percentage said they scan third-party code to discover vulnerable modules. Overall, only 35 percent of companies surveyed combine code reviews with automated tools to search for vulnerabilities.

"Developers have a wide array of security tools at their disposal that they are simply not using," added Jean-Baptiste Aviat, co-founder and CTO of Sqreen, a provider of security monitoring software. The startup's founders are former security specialists at Apple (NASDAQ: AAPL).

The survey authors emphasized the growing need for real-time protection to identify and fend off attacks. According to their results, only 23 percent of Node.js developers used any form of real-time threat detection. Most (44 percent) inspect logs while a smaller percentage reported using tools like security information and event management software.

Meanwhile, 35 percent of developers acknowledged they had no way of knowing with certainty when their applications were under attack.

The developer survey is troubling given the growing popularity of Node.js. San Francisco-based NodeSource reported last summer that the JavaScript runtime has gained considerable momentum among developers since going mainstream earlier in this decade.

"Node.js is emerging as the runtime of choice for DevOps," the company asserted.

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).

One Response to Node.js Popular With DevOps, But Security Lags

  1. allen p joslin

    “Developers have a wide array of security tools at their disposal that they are simply not using,”

    Where might one find an overview, descriptions and usage examples of these tools?

    As a developer in an older, smaller company I can only use opensource and entry-level solutions – so it’s: snyk and log collecting for forensic view; frameworks that mingle a strong security focus [adonis] with ease of use [aurelia]; and trust in my network guys to protect and secure. Our company culture is rather entrenched and doesn’t want to do CI or move beyond their home-built devOps tools. Code reviews are a non-starter.

    So I’d welcome any pointers to overview & roadmaps for use of any automated security tooling.

     

Add a Comment

Do NOT follow this link or you will be banned from the site!
Share This