Shadow Code in security’s blind spot, ups risk of attack

Infotech Software professionals / Employees / Software Engineers / Coders/ working at a office, in Hyderabad, India.   Security teams don’t have visibility into Shadow Code, putting their web properties at risk for attack. (Photo by A Prabhakar Rao/The The India Today Group via Getty Images)

The proliferation of Shadow Code – third-party scripts and open source libraries used in web applications – may help organizations accelerate their digital transformations but it also puts them at higher risk of cyberattack.

Security teams are finding the Shadow Code, the code equivalent to rogue or Shadow IT, remains a blind spot for their organizations, with a mere 8 percent of respondents in a PerimeterX/Osterman Research report saying they have complete visibility into the hidden code running on their websites. That’s a drop from 10 percent in 2019.

“Given the highly dynamic nature of these scripts, what the analyst sees might differ significantly from what actually runs on a customer’s browser,” Ameet Naik, security evangelist at PerimeterX, told SC Media. “This is why only eight percent of the respondents report having complete insight into the third-party scripts running on their website.”

More than 30 percent of respondents in this second annual survey said that third-party offerings make up between 40 percent to 60 percent of their website scripts and while lower than the industry standard of around 70 percent, the scripts present a formidable obstacle to security and erode trust.

Visibility has dimmed at a time when security teams face a growing number of attacks and are more concerned about safeguarding their assets. Upwards of a third – 38 percent – said their corporate websites had been hacked, while 40 percent suspected they had been, the survey said. And most don’t think their websites are secure – 30 percent said externally facing websites are secure from Magecart and other threats. That’s a drop from the 40 percent recorded in 2019.

Many security pros feel their hands are tied when it comes to dealing with Shadow Code. Just 20 percent said respondents said their teams have the full authority to shut down suspicious scripts running on their websites, down from the 32 percent who reported the same last year.

But the answer is not to get rid of them. “Shadow Code is an unavoidable part of modern web applications,” Naik said. “Third-party scripts provide essential, much needed value-added functions such as analytics, chatbots and payment services.”

Instead, “organizations can use browser-native tools to perform a first-pass triage of third-party scripts running on their website,” he said. He recommends that security teams “take a trust but verify approach,” continuously monitoring script activity and detecting and mitigating threats through behavioral analysis and machine learning.

The COVID-19 pandemic has slowed the response to mitigate Shadow Code. Only 34 percent of respondents said they’d deployed solutions to address the risk but survey results show that that number would likely have been about 47 percent would have done so had the pandemic not caused lockdowns and slowdowns. That means 28 percent had been unable to protect web applications because of COVID-19, the report said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.