NodeSource and Sqreen released a study that should be a wakeup call for developers: The majority of them report not trusting the security of their own code.
Some 60% of Node.js developers, in fact, say that they aren't confident in the security of the code they write, while only 31% say they are.
At first glance that may seem encouraging: Developers understand their own shortcomings, and realize that they don't write flawless code. That level of awareness could lead to better app security through a thorough review process, both automated and manual.
That doesn't seem to be the case, though.
Who to trust?
Let's not sell developers short—most of them do review their code in some way, according to the report. Many (44%) perform manual reviews, and 30% perform both manual and automated reviews. Only 12% are guilty of not reviewing their code at all.
SEE: The downside to the developer revolution: Big data (in)security (TechRepublic)
Where the real problem comes from, at least in the eyes of the devs doing the coding, is third-party dependencies. Only 16% have confidence in the security of the third-party packages they use.
That said, it would make sense for much of the code review process to focus more on outside code. It doesn't, though: 40% said they skip the review process for third-party packages.
Fix it in post?
If the numbers NodeSource and Sqreen present are accurate, it's safe to assume that a lot of flawed code is going out to the masses. The hope would be that software is closely monitored once it's live so bugs can be discovered and fixed as soon as possible.
However, again, that doesn't seem to be the case.
According to the report, only 20% of developers are using an APM or SEIM solution to monitor their software once it's live. The other 79% either simply look at logs, or say they "have no way of knowing for sure" when their applications are under attack.
SEE: The Successful Web Developer Roadmap (TechRepublic Academy)
NodeSource and Sqreen conclude that developers "understand well the risks of operating in the open internet ... but are unwilling to take advantage of tools that can help" prevent flawed code from being released and identify attacks.
As long as code gets rushed through the review process there will be security holes to exploit, and we'll continue to find ourselves in an age of messy, ineffective cybersecurity. It's time for all developers to accept responsibility for flawed code and stop ignoring attacks to live platforms.
The top three takeaways for TechRepublic readers:
- A report out from NodeSource and Sqreen found that a majority of developers lack confidence in the security of their code, and even more lack confidence in the security of third-party dependencies.
- Despite that lack of confidence, many developers ignore the code review process, or don't review code thoroughly enough,
- Only 20% of developers have methods in place to monitor, track, and respond to attacks. The rest say they can't be sure when or where attacks happen.
- Report: 40% of IT security leaders don't change default admin passwords (TechRepublic)
- DevOps the forgotten team when it comes to security: CyberArk (ZDNET)
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)
- Microsoft's new open source tool can scan your website for security and performance headaches (ZDNET)
- Password Management Policy (Tech Pro Research)
- 15 books every programmer should read (free PDF) (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.