Digital Skimming and Magecart

A Look Inside the Shadow Code Risk

Shadow Code Risk

PerimeterX is excited to release the third annual report, Shadow Code: The Hidden Risk to Your Website, conducted by Osterman Research. More than 500 security professionals and developers responded to the 2021 Application Risk Survey, sharing their thoughts on the risks of third-party code and plans for combating the issue in the future. Read on for a summary of the results, or get the report to see all the details.

The way we build websites and applications has changed. Gone are the days of simple sites developed from your own source code. Today’s sites are more like legos, with many of the pieces pulled in from open source and third-party JavaScript libraries. In the survey, more than 99% of respondents reported that their site uses at least one third-party script, and almost 80% said that such scripts account for 50-70% of a typical website.

As web applications drive so much more business activity in today’s digital economy, enterprises face increasing pressure to quickly bring new functionality to market. To accelerate this innovation, development teams rely heavily on open source and third-party script libraries such as React and jQuery. Building upon the foundation of what already exists allows them to work faster and smarter, rather than wasting time reinventing the wheel.

Vulnerabilities in Third-party Code

In an effort to move quickly, developers often turn to open source libraries. They might introduce third-party scripts without the necessary approval or validation — or with only an initial security review, but do not re-evaluate when scripts change. Over 50% of survey respondents report that their third-party scripts change four or more times each year, but only 25% perform a security review for every script modification.

Also known as shadow code, this code can present major security vulnerabilities that hackers abuse to commit Magecart, digital skimming, and formjacking attacks. More than 50% of survey respondents believed there was some or lots of risk in using open source libraries and third-party code, particularly due to the brand damage, loss of corporate reputation, loss of future revenue, and potential lawsuits that would likely follow a data breach.

Even if your security team does check for CVEs, there are lots of unknown vulnerabilities and supply chain risks that can be exploited. One third-party script calls another script that refers to another. It could be an nth-party script in the chain that has a vulnerability, which puts the whole supply chain at risk.

The Client-side Blind Side

Because third-party code runs on clients’ browsers, it presents a major security blindspot. Legacy solutions like WAFs don’t offer visibility into what happens on users’ browsers, leaving website operators powerless to make a change. Only 34% of survey respondents said they were able to detect changes or updates made on their website that could potentially lead to a security problem.

This lack of visibility into third-party code means that website owners can’t know for certain that their site is safe from attacks. Nearly 50% of survey respondents could not definitively say whether or not their website had been hacked — a pretty scary realization for those tasked with keeping their websites and users safe.

Even though there is a definite risk, there is also a disconnect between that knowledge and actual security practices. Only one in three survey respondents have systems in place to automatically detect potential problems. It is no surprise that security professionals have an urgent need to get visibility into third-party code. 75% of respondents stated that they intend to purchase solutions to address website script vulnerabilities within the next 12 months.

Will you join them? Book a free demo to see how PerimeterX Code Defender gives you the visibility and control into shadow code needed to identify and address script vulnerabilities, so you can protect your business against today’s most sophisticated attacks.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.