The npm blog has been discontinued.
Taking security seriously is a habit that professional software developers acquire as they grow more experienced. Developers trust the security of open source code more than they trust the code they write themselves to be secure, but the tools for ensuring the safety and quality of code leave much to be desired.
These are some of the conclusions of a survey of over 16,000 developers run by npm in collaboration with the Node.js Foundation and the JS Foundation. We asked a lot of questions (thank you to everyone who answered all 54!) and got an enormous amount of amazing insight out of this data.
Are we satisfied with our security?
97% of respondents use open source code, so one of our first questions was: Are you concerned with whether the open source code you use is secure? Obviously we knew some people were, but it turns out 77% of respondents are concerned. The remaining 23% are presumably very trusting types.
Obviously, merely being concerned with whether it’s secure doesn’t mean you think open source code isn’t secure; it just means you want to know. So we also asked people whether they were satisfied with the methods available to them to evaluate the safety and quality of their open source code. The results were not great news:
We also asked developers about the methods they had to evaluate the security of code. In both cases, majorities were not satisfied with the security options available to them, but again, the concern was greater about their own code than open source code. Developers seem to believe that open source code, while not perfect, is more likely to be secure than code they wrote, and that the tools for making sure it’s secure are better.
Attitudes to security change with experience
81% of respondents with 10+ years of experience said they were concerned about the security of the open source code they use, compared to only 72% of the newest group.
What seems to be driving an increase in consciousness of security is just a general increase in thoroughness and professionalism as a developer gains experience. We asked developers a range of questions about tools and practices, and there was a clear pattern when we again divided them into groups by experience:
Comparing the most experienced group to the last experienced group again, the most experienced group was:
- More likely to use a testing framework (87% to 57%)
- More likely to use a linter (90% to 75%)
- More likely to participate in code reviews (79% to 50%)
- More likely to have external audits of code (26% to 9%)
- More likely to use automated scans for security flaws in code (53% to 27%)
In all the questions, the percentages grew as we moved from groups with less to more experience. These things appear to be best practices, adopted by strong majorities in most cases.
In particular, the last 3 practices all have to do with security. Combining the answers, we were able to measure how many people use some form of security analysis on their open source code (the answers for their own code followed a similar pattern). A strong majority did in both the least-experienced and most-experienced groups, but in the most experienced group it was a whopping 85%.
All this data drives some pretty clear conclusions:
- Best practices like testing, linting, code reviews and security scans are a sign of an experienced developer.
- But developers are more trusting of the security of open source code than their own.
- Developers are not happy with the options available to them for securing their code.
npm has been putting more resources into improving security recently. In October we introduced two-factor authentication for npm accounts. In March, more than 8 billion package downloads — 43% of all package downloads that month — were of packages belonging to accounts protected by two-factor authentication. That’s a huge step forward in ensuring the code in the registry is safe and secure, but there is a lot more to do. Stay tuned.