What GitHub couldn’t tell them is that the owner of the repository gave code commit access to a new contributor – who happened to be from a criminal card skimming gang. This malicious hacker had inserted obfuscated code that would skim credit card data on any site running the library. By the time your website security team found the attack, hundreds of thousands of customers’ card data had been skimmed.
Criminals had used the cards and password information to sneak in big transactions during the Black Friday rush, knowing you would reduce security restrictions to accommodate the crush of post-COVID shopping. Sadness ensues. Your company will pay millions to remediate this problem, and spend months gaining back customer trust. It’s a Black Friday nightmare, courtesy of Shadow Code.
What is Shadow Code and Why Does it Matter?
This story is hypothetical but all too real. Shadow Code is a growing risk for ecommerce companies as they strive to move faster and innovate more quickly. There are three types of Shadow Code:
- Any internal code that the information security team didn’t approve before it goes into production
- Any third-party service or open source library not reviewed and approved by information security team
- Any code included by your third-party provider that you may not be fully aware of, and hence don’t have the ability to vet and approve before deployment
Shadow Code Is Now A Necessary Evil
For ecommerce websites, which have much higher code turnover than most applications, even reviewing all first-party code is challenging and increasingly requires automation. Developers facing deadlines may insert their own code fixes without running them through all the normal security checks. The Shadow Code risk is also systemic; often the best open source library to accomplish a task has little to no security oversight.
Holiday 2020 Season Will Be an Epic Test
Ecommerce site operators are rushing to boost capacity and add new features for what will likely be a far busier peak season for ecommerce than ever before due to COVID. Grinchy cybercriminals are increasing attack volume and targeting the client side to escape traditional server-side security provided by web application firewalls.
Elite cyberfraud gangs have expanded attacks to include home goods, cosmetics and fragrances and are now attacking small and mid-sized retailers. More ominous still, so-called Advanced Persistent Threat groups (often sponsored by rogue nations) are mounting their own attacks. For ecommerce companies that are victimized, the cost can easily rise to the millions of dollars and hundreds of hours of staff time.
Keep Shadow Code Grinch Away: Trust but Verify
You cannot block all or even most Shadow Code. This would paralyze development efforts. A more powerful and adaptive approach is to use client-side application security technology that can identify anomalous behavior in any part of a web application and map that behavior back to specific code. This method continuously adapts rather than relying on static security validations.
These Artificial Intelligence-driven application security platforms use machine learning to identify patterns of attacks across different ecommerce sites. The broad scope allows developers to continuously spot and stop Shadow Code exploits in real time. For more crucial parts of infrastructure – such as payment modules and authentication – information security should review the providers of services and libraries, as well as monitor them at runtime.
Recent attacks on payment services have shown that even the most reputable, PCI-compliant services can be compromised. For open source libraries, ecommerce sites should use a software composition analysis service like Snyk to detect and fix vulnerabilities.
Shadow Code effectively solves real problems and accelerates development, which is critical to giving holiday shoppers a stellar experience. That said, the use of Shadow Code has passed a tipping point into the land of the Grinch that could steal ecommerce holiday cheer.
The solution is not to stop all Shadow Code, but to build guardrails that enable your team to develop innovative web applications while detecting and stopping malicious code at runtime. Third-parties can and should be trusted, but their security must be verified empirically at the first sign of anomalous behavior — keeping every customer happy during the all-important holiday crush.
Ameet Naik is a security evangelist at PerimeterX