Shadow code — third-party scripts and libraries often added to web applications without security validation — pose risks to websites and jeopardize compliance with privacy regulations, according to new research released Tuesday.
Third-party code leaves organizations vulnerable to digital skimming and Magecart attacks, the researchers also noted.
The study, conducted by Osterman Research for PerimeterX, found that more than 50 percent of the security professionals and developers surveyed believed there were some or lots of risk in using third-party code in their applications.
Surveyors also found increased concern among respondents about cyberattacks on their websites. Last year, 45 percent of those surveyed had significant concern about their internet outposts being targeted by hackers; this year that number jumped to 61 percent.
Concern over supply chain attacks also increased, from 28 percent in 2020 to 50 percent in 2021. Anxiety over Magecart attacks jumped significantly from last year, too, by 47 percent. Magecart, or electronic skimming, is a form of fraud where transaction data is intercepted during the checkout of an online store.
Balancing Risk and Efficiency
Developers use third-party code for a number of reasons.
“It’s readily available,” said Brian Uffelman, vice president of product marketing at PerimeterX, a web security service provider in San Mateo, Calif.
“There’s an incorrect assumption that if it’s out there and open source, it’s secure,” he told bluehillco.
“They’re trusting that the open source code that they’re using, or the libraries that they’re using, are secure,” he continued. “What we found is that is not the case.”
“Oftentimes, they’re trying to balance efficiency with risk,” he added.
Jonathan Tanner, a senior security researcher at Barracuda Networks, a security and storage solutions provider based in Campbell, Calif., explained that libraries play an important role in developing applications, since they provide functionality that would take a lot of time to develop, and in many cases would be more prone to potential bugs and exploits if developed internally.
“There’s a common adage of not reinventing the wheel when it comes to development, which not only saves development time but also allows for a higher level of complexity in the applications as a result,” he told bluehillco.
Tanner added that in some cases third-party libraries can even be more secure than code written by internal development teams, even if vulnerabilities are discovered in the most reputable ones.
“If even the most reputable library potentially maintained by hundreds of experts in the specifics of what the library does can have vulnerabilities, trying to build and maintain the same functionality internally with a small team of developers who likely are not experts on the functionality could potentially be disastrous,” he observed.
“There is certainly a lot of value in utilizing pre-existing libraries as a result, not only from a time-saving perspective but also from a security perspective,” he said.
Development teams want to get products out the door as quickly as possible, observed Sandy Carielli, a principal analyst with Forrester Research.
“A lot of third-party and open-source components will allow them to add basic functionality and focus on some of the more sophisticated differentiating aspects of the product,” she told bluehillco.
“The challenge is that if you don’t know what those third-party components are that are called in, you can find yourself in a heap of trouble,” she said.
“If modern businesses want features and functionality delivered fast and cheap, it’s inevitably going to come at the cost of not being able to do something — or a lot of things — the right way,” added Caitlin Johanson, director of the Application Security Center of Excellence at Coalfire, a provider of cybersecurity advisory services in Westminster, Colo.
“We would be naive to think that the speed at which new apps and features get delivered to our technology-reliant world is achieved without corners getting cut,” she told bluehillco.
There are countless risks that shadow code can pose to organizations, maintained Taylor Gulley, a senior application security consultant with nVisium, a Falls Church, Va.-based application security provider.
“One is being the potential for a full compromise of the application and the data within that application,” he told bluehillco.
“In addition to technical risks,” he continued, “the reputational risks could be catastrophic if a vulnerability is introduced to your application as a result of an unvetted, third-party library.”
When an organization lacks visibility into the open-source code it’s using, licensing risks can also emerge.
“An open-source component might have a restrictive license,” Forrester’s Carielli explained.
“Suddenly, you’ve added a component to your code that requires you to open-source the entire application,” she continued. “Now your organization is at risk because all your proprietary code has to be open sourced.”
The Osterman researchers also found that the use of third-party code is widespread throughout the internet. Nearly all the respondents to their survey (99 percent) reported their websites used at least one third-party script.
Even more revealing was the finding that 80 percent of those surveyed said that third-party scripts made up 50 to 70 percent of a their websites.
He added that if the shadow code allows a third party to unknowingly view data on an organization’s site, it likely put the organization at risk of maintaining GDPR or CCPA compliance, because an unknown data processor is viewing data without a public disclosure.
“This can result in millions of dollars of potential fines for an organization that is required to maintain this type of data privacy compliance,” he explained.
Shadow code is definitely an increasing problem and a problem that a lot of people don’t realize, added Christian Simko, director of product marketing at GrammaTech, a provider of application security testing solutions headquartered in Bethesda, Md.
“Custom code is shrinking and third-party code usage is growing,” he told bluehillco. “If you’re not properly managing the code base that you’re using, you could be inserting vulnerabilities into your software without knowing it.”