Digital Transformation and the Shadow Code Risk
September 23, 2020

Ameet Naik
PerimeterX

Businesses across the world are accelerating their digital transformation as consumers increasingly shift to online channels. Web applications have become a critical element of this digital journey and keeping them secure and performant is now more important than ever. However, there are new challenges that application developers face while delivering and maintaining these business-critical applications.

Web application developers often rely on open source libraries and third-party scripts in order to innovate faster and keep pace with evolving business needs. These scripts and libraries — often added without approvals or security validation — introduce hidden risks into the organization and make it challenging to ensure data privacy and to comply with regulations.

Collectively referred to as "Shadow Code," these scripts provide essential services such as payments, analytics, chatbots, advertising or social media integrations. However, application security teams often don't have a comprehensive understanding of what these scripts actually do, creating opportunities for malicious code injection attacks.


The Client-Side Blind Side

Often introduced without any formal approval process or security validation, these scripts run on the client side, which means traditional monitoring and security tools cannot provide the same visibility and control that you might have over server-side apps. This is a major blind side for appsec teams. So how big is this problem?

PerimeterX, in conjunction with Osterman Research, completed the second annual survey of application security professionals to uncover the extent and impact of Shadow Code across organizations in a diverse set of industries. The report, Shadow Code: The Hidden Risk to Your Website, finds that only 8% of respondents have complete insights into the third-party code running on their website. This is a very low result, which means that the vast majority of web applications out there have high levels of Shadow Code running on them.

The Trust Deficit

Given the extensive amount of third-party code running on web applications, the survey also examined the relationship between the users and the providers of third-party scripts. Over 30% of the respondents reported that they do not trust the providers of their third-party scripts. Yet, they allow this Shadow Code to run on the client-side of their web applications. This poses considerable business risk to the owners of these web applications.

As data privacy regulations like the California Consumer Privacy Act (CCPA) and the Global Data Protection Regulation (GDPR) impose strict penalties for client-side data breaches running into the hundreds of millions of dollars, application owners need to be more vigilant about the security of third-party scripts on their web applications.

The survey found that only 30% of survey respondents believed that their externally-facing web properties are completely secure from threats like Magecart attacks, down from about 40% in the 2019 survey.

Limited Controls

Application owners are turning to client-side behavioral analysis solutions that can baseline the behavior of first- and third-party scripts to identify anomalies that could signal a compromise. However, they need more mitigation options when dealing with such threats.

Only 22% of the survey respondents indicated that they or their teams have the full authority to shut down any suspicious script that they might find running on their website. This is down from 32% in 2019. For example, if the anomalous script processes payments, it's very difficult to shut it down while the team analyzes the root cause. Solutions that can surgically stop specific script actions without shutting down the entire script can offer a useful middle ground to already constrained appsec teams.

Compliance Remains Elusive

Only 30% of respondents to the survey reported that their externally facing web properties are secure and thus compliant with data privacy regulations. These statistics suggest that we are at the very early stages of identifying and grappling with the Shadow Code problem.

Much like with Shadow IT, when CIOs were forced to implement BYO device policies and tolerate more cloud services and apps in use than they could imagine, CISOs no longer have the luxury of saying no to third-party code. Meanwhile data privacy regulations are tightening worldwide and client-side attacks, such as Magecart, are on the rise, leading to massive data breaches and fines.

Shadow Code Best Practices

Shadow Code is here to stay and eliminating third-party scripts is not the answer. Application development and security teams can gain control over this problem by combining static testing of internal code, with runtime behavioral analysis of third-party scripts that can identify security risks in real time. Client-side application security solutions can offer a wide range of mitigation options to manage threats present within Shadow Code. Web applications can continue to benefit from the vast ecosystem of third-party services without compromising their users' data privacy.

Ameet Naik is a Security Evangelist at PerimeterX
Share this

Industry News

October 29, 2020

Cisco announced new software-delivered solutions designed to simplify IT operations across on-premise data centers and multicloud environments.

October 29, 2020

Bugsnag announced availability of user stability analytics, which will help developers gain a clearer understanding of how application errors are impacting the user experience and other key performance indicators (KPIs) for the business, as well as offer insights on whether to fix bugs or build new features.

October 29, 2020

HAProxy Technologies announced an open-source release of a VMware Open Virtual Appliance (OVA) virtual machine image of the HAProxy load balancer for vSphere, which HAProxy Technologies will maintain on GitHub.

October 28, 2020

Progress announced a number of new innovations designed to facilitate adoption and at-scale deployment of Chef offerings for both new and experienced users of the DevSecOps portfolio.

October 28, 2020

StackRox announced the release of KubeLinter, its new open source static analysis tool to identify misconfigurations in Kubernetes deployments.

October 28, 2020

Vercel announced Next.js 10 featuring a number of new capabilities that accelerate frontend developers’ ability to enrich end users’ web experiences globally.

October 27, 2020

ThinkTank has released a suite of applications designed to keep distributed agile teams aligned and engaged, regardless of physical location.

October 27, 2020

Cloudify, a Service Orchestration and Automation Platform, announced its latest 5.1 product release which aims to take one step further to permanently remove silos and roadblocks that are consistently associated with migration to the public cloud.

October 27, 2020

WhiteSource announced its new native integration for Microsoft Azure DevOps services.

October 26, 2020

NetApp unveiled a new serverless and storageless solution for containers from Spot by NetApp, a new autonomous hybrid cloud volume platform, and cloud-based virtual desktop solutions.

October 26, 2020

GeneXus released GeneXus 17, a new version of its platform that empowers enterprises to create and evolve new applications at unprecedented speed.

October 26, 2020

Alcide announced the company’s security solutions are now integrated with AWS Security Hub, sending real-time threat intelligence and compliance information to Amazon Web Services (AWS) for easy consumption by Security and DevSecOps teams.

October 22, 2020

Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.

October 22, 2020

Harness announced two new modules: Continuous Integration Enterprise and Continuous Features.

October 22, 2020

Render announced automatic preview environments which are essential for rapid and collaborative development of modern applications.