• Home
  • About
  • Newsroom
  • False Sense of Security — Third Annual PerimeterX Report Reveals that Shadow Code Remains a High Risk

False Sense of Security — Third Annual PerimeterX Report Reveals that Shadow Code Remains a High Risk

More than 99% of websites use third-party scripts, but only one in three can detect potential problems that could lead to digital skimming and Magecart attacks

SAN MATEO, Calif., September 21, 2021 – PerimeterX, the leading provider of solutions that secure digital businesses against automated fraud and client-side threats, today released “Shadow Code: The Hidden Risk to Your Website,” the third annual survey conducted with Osterman Research on the use of Shadow Code in web applications.

Third-party scripts and open source libraries are typically used for ad tracking, payments, customer reviews, chatbots, tag management, social media integration or other helper libraries that simplify common functions. However, the unmanaged use of Shadow Code — scripts and libraries often added without approvals or ongoing security validation — introduces hidden risks into an organization, making it challenging to avoid the risk of a data breach, ensure data privacy and comply with various privacy regulations.

“While awareness is growing about the consequences of successful cyberattacks and most organizations claim to have addressed the risks of Shadow Code, digging deeper into our survey responses shows there is a false sense of security. Organizational security review processes are insufficient, capabilities to automatically detect changes have low adoption, and other means of assessing threats from code vulnerabilities are not up to the task,” said Brian Uffelman, VP and Security Evangelist, PerimeterX.

Key findings include:

  • Nearly all websites contain third-party code. More than 99% of respondents reported that their website uses software supply chain vendors or partners for third-party code, who may themselves obtain code from their partners. Almost 80% said that these scripts account for 50-70% of the capability in a typical website.
  • Visibility into code changes is lacking. Website owners lack the visibility into third-party code to know for certain that their site is safe from cyberattack. Nearly 50% of respondents could not definitively say their website had not been subject to a cyberattack.
  • There is a disconnect between belief and security practices. While respondents say they understand Shadow Code risks, only 25% perform a security review for every script modification, and only 33% can automatically detect potential problems.

The report includes statistics on websites that use third-party codes and scripts, frequency of code updates, vulnerability and visibility levels, and the use of technology solutions to manage third-party script and open source vulnerabilities.

Not surprisingly, more than half of respondents named brand damage, loss of corporate reputation, loss of future revenue and potential lawsuits as “huge” or “major” problems resulting from an attack.

“It’s imperative that organizations review how they detect and manage risks to web applications. For the third straight year, our research continues to shed light on these critical issues for digital businesses. The percentage of respondents who suspect their website may have been attacked — but lack the visibility to state definitively — grew from 40% in 2020 to 48% in 2021. Respondents seem more willing to take active steps to mitigate these risks, with 75% stating that they intend to purchase solutions to address website script vulnerabilities within the next 12 months,” said Michael Sampson, senior analyst with Osterman Research.

The survey was conducted during May and June 2021 with a total of 501 organizations in the United States across a range of industries including retail and e-commerce, financial services, travel and hospitality, media and entertainment, gaming and delivery services. All of the survey respondents were security professionals or developers who are familiar with the way that third-party scripts are used by their organizations.

For more information, read the full report here.

About PerimeterX

PerimeterX is the leading provider of solutions that protect modern web apps at scale. Delivered as a service, the company’s solutions detect risks to your web applications and proactively manage them, freeing you to focus on growth and innovation. The world’s largest and most reputable websites and mobile applications count on PerimeterX to safeguard their consumers’ digital experience. PerimeterX is headquartered in San Mateo, California, and at www.perimeterx.com.

© PerimeterX, Inc. All rights reserved.