Asset Management, Risk Assessments/Management, Security Staff Acquisition & Development, Security Strategy, Plan, Budget

Shadow Code: A Third-Party Blind Spot

Third-party relationships have expanded exponentially as companies seek outsourced services and software to perform optimally and backfill talent amid the ongoing pandemic. That expansion touches internal systems and also extends to the external web properties that drive revenue and client interactions under our new normal. This has broadened attack surfaces as threat actors target weaker vendors with strong market penetration to quietly surveil, pilfer sensitive information and paralyze systems.

For security teams trying to track the security practices of those third parties, visibility is essential but painfully limited, according to a recent survey from CRA Business Intelligence, the research and content arm of cybersecurity information services company CyberRisk Alliance. The survey was conducted in late fall 2021 among more than 300 IT and cybersecurity decision-makers and influencers who use third parties. Among the findings:

  • Sixty percent of respondents experienced an IT security incident in the past two years due to a security hole that originated with a third-party partner.
  • Forty-five percent had to shell out $1 million or more to deal with these compromises.

When looking into the blind spots security teams face, shadow code is particularly vexing. These third-party scripts and open-source libraries are used in web applications and can help organizations accelerate their digital transformations. But it also puts them at higher risk of cyberattack.

Source Defense CMO Stephen Ward appeared on Paul’s Security Weekly recently to discuss shadow IT and how to improve security around it.

He talked about how the threat of JavaScript based attacks – including click-jacking, digital skimming, formjacking, defacement, and Magecart – exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world – costing household names like British Airways tens of millions – and they happen by the hundreds per month.

Already in 2022, we’ve seen headlines of major client-side attacks like the one that hit Segway – potentially impacting nearly a million consumers.

The episode includes real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons for each.

While watching the episode, you can dig into several handy resources from Source Defense, including:

This segment is sponsored by Source Defense. Visit to learn more about them Visit for all the latest episodes!

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.