It’s becoming very clear that Node.js is here to stay. Adoption continues to grow, and large software companies are investing in its future. We constantly hear from Node.js developers who have switched their IDEs to VSCode. We have also seen cloud services, such as AWS Lambda, support Node.js natively in their Function-as-a-Service (FaaS) offering.

With this growth comes an increased focus on security risk and vulnerabilities in Node.js software. Enterprises are waking up to the fact that Node.js applications need to be secure for real-world, production deployments to accelerate. The 2018 Node.js User Survey addresses several important security topics, as well as the main drivers of Node.js adoption.

1. Node.js increases developer productivity

Respondents said the #1 business impact of Node.js is developer productivity. A close second was developer satisfaction. What are the drivers? Here are some observations that stand out:

  • Survey respondents described Node.js as “fast”, “easy”, “awesome”, and “powerful”.
  • Node.js has a rich ecosystem of modules that help accelerate time-to-market for new projects.
  • A majority of Node.js developers work for smaller firms (<100 people). This demographic may suggest many startups leverage Node.js to compete against bigger, more established companies.

2. Lack of Node.js security best practices

This need is a big opportunity for the Node.js community. When you do a Google search for Node.js security vulnerabilities, you find pages -- but can you trust them? Often times, the answer is buried in a forum thread among developers. More needs to be done here. Otherwise, Node.js growth may slow in enterprise segments where security is critical.

3. <1% of Node.js developers “focus” on security

This takeaway isn’t much of a surprise, given the leading focus areas for developers are “back-end” and “full stack development”. What does it mean to “focus on security”? It’s possible developers do not have good options for testing their application code. While more needs to be investigated here, the trend is clear - security needs to catch up in terms of educational content and top-of-mind awareness.

4. Most Node.js developers rely on LTS (long term support)

55% of the survey respondents said they rely on the LTS release line. This reliance makes sense, considering enterprises want stable Node.js deployments. However, smaller companies and new developers tend to pull the latest version - perhaps it’s because there is higher risk tolerance among startups, or maybe new developers aren’t sure what version to pick? Regardless, 61% of respondents think it’s important for LTS to exist. Given this response rate, we can expect increased visibility into support timeframes and schedules as Node.js matures.

5. Yarn is gaining ground on npm

npm is still the most widely used package manager with 60% adoption. Yarn has only 13% adoption, but it seems to be growing. What’s driving this increase? First and foremost, Yarn offers a flat dependency structure - as opposed to npm’s nested structure, which provides more sensibility around downloading/installing dependencies from package repos. Secondly, Yarn allows you to work offline, which is critically important for sandbox development environments that do not have access to the internet.

Want a demo of Veracode Interactive Analysis?

Veracode Interactive Analysis (IAST) helps teams instantly discover vulnerabilities in their applications at runtime by embedding security into their development processes and integrating directly into their CI/CD pipelines. Get a demo.

Bipin Mistry is Sr. Director of Product Management for WAS/IAST product line.  Prior to joining Veracode he was VP Product Management for NEC/Netcracker in their SDN/NFV and Security business unit.  At NEC/Netcracker Bipin’s primary focus is to develop solutions and architectures specifically mapped to NFV/SDN and Orchestration. He has over 28 years expertise in Security, Software Architectures, Mobile and Core Networking Technologies, Product Management, Marketing, Engineering and Sales.  Prior to joining NEC/Netcracker Bipin was VP President of Product Management for a security startup in the field of DDoS analysis and mitigation.  Bipin has also held architectural and management roles at both Juniper Networks (Chief Mobile Architect) and Cisco Systems (Sr. Director of SP Architecture). Bipin lives Shrewsbury MA with his wife and 2 children.  In his spare time Bipin is a keen runner and is currently attempting to learn Spanish.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 


 

 

contact menu