According to a research study, the shadow code — third-party scripts and libraries frequently used in web applications pose security risk to website. Read on to know more…
According to new research, shadow code — third-party scripts and libraries frequently introduced to web applications without security validation — pose security risk to websites and jeopardizes compliance with privacy regulations. The security researchers also noted that third-party code makes businesses open to digital skimming and Magecart attacks.
More than half of the security professionals and developers polled said there was some or a lot of security risk in using third-party code in their apps, according to the study by Osterman Research for PerimeterX.
The third annual survey conducted with Osterman Research on the use of Shadow Code in web applications titled “Shadow Code: The Hidden Risk to Your Website,” was released last month by PerimeterX.
Some of the key research findings include:
Third-party code can be found on almost any website: More than 99 percent of respondents said their website gets third-party code from software supply chain suppliers or partners, who may get it from their partners. Almost 80 percent of respondents said that scripts make up 50-70 percent of the capability in a typical website.
Lack of visibility into code modifications: Website owners lack visibility into third-party code, making it difficult to know that their website is secure against cyberattacks. Nearly 50 percent of the respondents couldn’t say for sure whether or not their website had been hacked.
Misalignment between security beliefs and practices: While respondents claim to be aware of risks from Shadow Code, just 25 percent of them run a security check for every script modification, and only 33 percent can detect potential risks automatically.
Ad tracking, payments, customer reviews, chatbots, tag management, social media integration, and other helper libraries are prominent used by third-party scripts and open source libraries. However, unmanaged Shadow Code – scripts and libraries installed without consent or regular security validation — adds hidden vulnerabilities into an organization, making it difficult to avoid data breaches, protect data privacy, and comply with numerous privacy standards.
If the Shadow Code unknowingly allows a third party to view data on a organization’s website, the organization is likely to fall out of GDPR or CCPA compliance since an unknown data processor is viewing data without public disclosure. For a organization required to maintain this type of data privacy compliance, this can result in millions of dollars in potential fines.
Statistics on websites that use third-party codes and scripts, the frequency of code updates, vulnerability and visibility levels, and the usage of technology to manage third-party script and open source vulnerabilities are all included in the report. Brand harm, loss of corporate reputation, loss of future revenue, and potential lawsuits were cited by more than half of respondents as “huge” or “major” concerns resulting from an cyberattack.
The survey was done in May and June 2021 with 501 firms from various industries in the United States, including retail and e-commerce, financial services, travel and hospitality, media and entertainment, gaming, and delivery services. All of the survey participants were security specialists or developers who were familiar with their companies’ use of third-party scripts.