Securing the Web forward: Addressing developer concerns in web security

In the ever-evolving landscape of web development, security remains a key concern for developers. A recent survey gathered responses from 297 developers visiting MDN, asking them to rate the challenge they face with various security aspects in their development workflows. These responses offer a clear indication of the complexities and challenges encountered in daily development tasks.

60% of developers find the addressed security aspects 'Somewhat challenging' or 'Very challenging'. It's evident from this that we have a problem. There is a substantial need for enhanced education, tools, and best practices to assist developers with security issues across the board.

Delving deeper into the individual security aspects:

• Detecting security vulnerabilities was highlighted as the most challenging aspect, with 71% of developers marking it as 'Somewhat challenging' or 'Very challenging'. An area with clear scope for improvement, it further emphasizes the need for better tools and education.
• Understanding security threats followed closely, gathering 69% of 'Somewhat challenging' or 'Very challenging' responses. As threats evolve continuously, this response underscores the crucial requirement for up-to-date education and efficient tools.
• The intricacy of understanding the web browser's security model came third, seen as challenging by 66% of developers. The ongoing evolution of web technologies may contribute to the difficulty in understanding the security model.
• Safely integrating third-party services received mixed responses. While 55% found it challenging, 27% felt neutral about it. This perhaps reflects the trust developers place in identified companies offering these services.
• Keeping frameworks and libraries up-to-date was another mixed bag, with 54% finding it challenging but 20% considering it easy. This suggests that while the actual updating of dependencies remains challenging, the tools alerting developers about new dependency releases have become mainstream.
• HTTPS Configuration was rated the least challenging aspect, with 45% finding it challenging and 31% considering it easy. It indicates that either server configuration is seen as a well-known task, or hosting services may be assisting developers with these issues.

The survey also highlighted the challenges of staying updated with new security threats, integrating third-party code securely, the lack of cybersecurity content in formal education, and other issues such as regulatory compliance.

One thing is clear: if we want to address these challenges we need to do so holistically. That means we need to get people talking to each other across silos.

To further address these concerns and foster an open dialogue, we're inviting you to participate in the W3C, OpenSSF, OpenJSF, and OWASP workshop: “Secure the Web Forward.” If you would like to participate in this groundbreaking workshop you have one week left to submit position statements. It’s clear that the ecosystem needs to come together to address these challenges. We hope that this workshop can be a step along the road to building a secure future for web development.