npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Attitudes to security in the JavaScript community

Over the coming months, we’ll be diving more deeply into the results of this winter’s JavaScript Ecosystem Survey, a survey of over 16,000 developers conducted by npm in collaboration with the Node.JS Foundation and the JS Foundation. Our first topic is Security — and, more specifically, how developers perceive the safety of the code they write and the open source code they use. To read more about the methodology behind this survey, click here.

Taking security seriously is a habit that professional software developers acquire as they grow more experienced. Developers trust the security of open source code more than they trust the code they write themselves to be secure, but the tools for ensuring the safety and quality of code leave much to be desired.

These are some of the conclusions of a survey of over 16,000 developers run by npm in collaboration with the Node.js Foundation and the JS Foundation. We asked a lot of questions (thank you to everyone who answered all 54!) and got an enormous amount of amazing insight out of this data.

Are we satisfied with our security?

97% of respondents use open source code, so one of our first questions was: Are you concerned with whether the open source code you use is secure? Obviously we knew some people were, but it turns out 77% of respondents are concerned. The remaining 23% are presumably very trusting types.

image

Obviously, merely being concerned with whether it’s secure doesn’t mean you think open source code isn’t secure; it just means you want to know. So we also asked people whether they were satisfied with the methods available to them to evaluate the safety and quality of their open source code. The results were not great news:

image

Overall, 52% of respondents aren’t satisfied with the tools they’ve got to evaluate open source code’s security and quality. Interestingly, this number is lower but not zero among the people who say they aren’t concerned about the security of their open source code. Since the “unconcerned about security” group is 23% of all respondents, that means that 7% of the JavaScript community think the tools for evaluating open-source security aren’t good enough, but they’re still not concerned about security. We’ve labelled them internally as the DGAF group, which I’m assured means “optimistic”.

More than half of JavaScript developers think that the tools they’ve got for evaluating the security and quality of open source code aren’t good enough. That’s alarming! But we found something interesting when we asked them the same pair of questions, but this time about their own code, then compared the two sets of answers.

image

87% of respondents said they were concerned with the security of the code they wrote themselves, compared to only 77% saying the same about open source. A healthy majority are concerned about security in both cases, but this discrepancy suggests that JavaScript developers trust open source code to be secure more than they trust themselves to write secure code. If that’s what you believe, then that’s a strong driver to adopt open source code in the first place.

image

We also asked developers about the methods they had to evaluate the security of code. In both cases, majorities were not satisfied with the security options available to them, but again, the concern was greater about their own code than open source code. Developers seem to believe that open source code, while not perfect, is more likely to be secure than code they wrote, and that the tools for making sure it’s secure are better.

Attitudes to security change with experience

Another interesting effect we noticed in asking JavaScript developers about security is that developers seem to become more concerned about security the more experienced and sophisticated they become.

The first sign of this was when we split our users up by how long they’d been using JavaScript, in groups ranging from less than one year (6% of respondents) to more than ten years (19%). The result was a remarkably steady progression:

image

81% of respondents with 10+ years of experience said they were concerned about the security of the open source code they use, compared to only 72% of the newest group.

Given that the longer you use JavaScript, the more concerned about the security of it you become, it’s worth asking whether that pushes people away from the language over time. But there’s no evidence of this. We asked developers whether, over the next 12 months, they intended to use JavaScript more, less, or about the same amount. 95% of respondents said more or about the same, and that percentage didn’t change at all across groups divided by experience.

What seems to be driving an increase in consciousness of security is just a general increase in thoroughness and professionalism as a developer gains experience. We asked developers a range of questions about tools and practices, and there was a clear pattern when we again divided them into groups by experience:

image

Comparing the most experienced group to the last experienced group again, the most experienced group was:

In all the questions, the percentages grew as we moved from groups with less to more experience. These things appear to be best practices, adopted by strong majorities in most cases.

In particular, the last 3 practices all have to do with security. Combining the answers, we were able to measure how many people use some form of security analysis on their open source code (the answers for their own code followed a similar pattern). A strong majority did in both the least-experienced and most-experienced groups, but in the most experienced group it was a whopping 85%.

image

Conclusions

All this data drives some pretty clear conclusions:

npm has been putting more resources into improving security recently. In October we introduced two-factor authentication for npm accounts. In March, more than 8 billion package downloads — 43% of all package downloads that month — were of packages belonging to accounts protected by two-factor authentication. That’s a huge step forward in ensuring the code in the registry is safe and secure, but there is a lot more to do. Stay tuned.