Businesses across the world are undergoing rapid digital transformation as consumers increasingly shift to online channels. Your website has become your primary headquarters as offices and stores remain closed in many parts of the world. As stewards of this critical resource, you have to balance the need for agility with the security and privacy of your customers’ data. This balancing act has a new twist – Shadow Code.
Web application developers often rely on open source libraries and third-party scripts in order to innovate faster and keep pace with evolving business needs. These third-party scripts in turn call other scripts, creating a digital supply chain of fourth-, fifth- and Nth-party scripts powering your website. According to industry estimates, up to 70% of the scripts on a typical website are third-party. Often introduced without any formal approval process or security validation, these scripts run on the client side, which means traditional monitoring and security tools cannot provide you the full picture. So your application runs code that you never tested or approved, that your monitoring systems cannot see, and that you don’t have the ability to stop if something goes wrong.
This in a nutshell is the Shadow Code problem. Much like Shadow IT which introduces unapproved cloud services and apps into an organization, Shadow Code not only bypasses traditional procurement channels, but also evades policy controls. This makes it very difficult for organizations to maintain a strong security posture, comply with data privacy regulations and pass infosec audits.
So how big is this problem? PerimeterX, in conjunction with Osterman Research, completed the second annual survey of security professionals to uncover the extent and impact of Shadow Code across organizations in a diverse set of industries. The report released today, “Shadow Code: The Hidden Risk to Your Website,” finds that only 8% of respondents have complete insights into the third-party code running on their website. And over 30% of the respondents do not trust the providers of their third-party scripts. These are staggering numbers.
The report also finds that:
- Only 30% of survey respondents believed that their externally-facing web properties are completely secure from threats like Magecart attacks, down from about 40% in the 2019 survey.
- Only 22% of the respondents indicated that they or their teams have the full authority to shut down any suspicious script that they might find running on their website. This is down from 32% in 2019.
- An average of 38% of respondents knew for a fact that their corporate websites had been hacked, and another 40% suspected they had been hacked.
- Only 30% of respondents to the survey reported that their externally facing web properties are secure and thus compliant with data privacy regulations.
These statistics suggest that we are at the very early stages of identifying and grappling with the Shadow Code problem. Much like with Shadow IT, when CIOs were forced to implement BYO device policies and tolerate more cloud services and apps in use than they could imagine, CISOs no longer have the luxury of saying no to third-party code. Meanwhile data privacy regulations are tightening worldwide and client-side attacks such as Magecart are on the rise, leading to massive data breaches and fines.
Open source libraries and third-party scripts are a powerful enabler when used properly with the appropriate guardrails. There is a new category of client-side application security solutions that can help you manage the risk to your organization while empowering your app developers to remain agile.
To learn more about Shadow Code and the survey results, read the report and join us on August 13th for a webinar with PerimeterX and Osterman Research where we will discuss key takeaways and best practices. Subscribe to the PerimeterX blog for additional updates and research on Shadow Code.