‘Shadow Code’ Creates Risk for 99% of Websites

Shadow code, a third-party script and library that is often added to web applications without security validation, poses a risk to websites and jeopardizes privacy regulations, according to a new study released Tuesday. increase.

Third-party code makes organizations vulnerable to digital skimming and Magecart attacks.

Study conducted by Osterman Research for PerimeterXFound that more than 50% of the security professionals and developers surveyed believe that using third-party code in their applications is risky.

Investigators also found growing concerns among respondents about cyberattacks on websites. Last year, 45% of those surveyed were seriously concerned that Internet outposts were targeted by hackers. This year, that number surged to 61 percent.

Concerns about supply chain attacks also increased from 28% in 2020 to 50% in 2021. Anxiety about Magecart attacks has also increased significantly by 47% from last year. Magecart, or electronic skimming, is a form of fraud in which transaction data is intercepted during online store checkout.

Balance between risk and efficiency

Developers use third-party code for a variety of reasons.

“It’s ready to go,” said Brian Uffelman, Vice President of Product Marketing. PerimeterX, Web Security Service Provider in San Mateo, CA.

“If it’s there and it’s open source, there’s a false assumption that it’s safe,” he told TechNewsWorld.

“They believe that the open source code they use, or the libraries they use, is safe,” he continued. “What we found is not.”

“Often they are trying to balance efficiency and risk,” he added.

Jonathan Tanner, Senior Security Researcher Barracuda NetworksLibrary, a security and storage solution provider based in Campbell, Calif., Plays an important role in application development because it provides time-consuming and often potentially bug-prone features. I explained that there is. If it is developed internally, it will be abused.

“When it comes to development, there’s a general saying that we don’t reinvent the wheel, which not only saves development time, but also increases the complexity of the application,” he told TechNewsWorld. rice field.

Coat trouble

Tanner added that even if vulnerabilities were discovered in the most popular libraries, in some cases third-party libraries could be more secure than code written by the internal development team.

“If even the most reputable library, which may be maintained by hundreds of experts on the details of a library’s features, may be vulnerable, it’s likely that you’re not a feature expert. Attempting to build and maintain the same functionality internally in a small team of people would be potentially disastrous, “he observed.

“As a result, there is certainly a lot of value in using existing libraries, not only from a time-saving perspective, but also from a security perspective,” he said.

The development team wants the product to go outdoors as soon as possible. Forrester Research..

“Many third-party and open source components allow us to add basic functionality and focus on more sophisticated differentiating aspects of our products,” she told TechNewsWorld.

“The challenge is that if you don’t know what the third-party component is being called, you may find yourself in a pile of problems,” she said.

“If modern enterprises want to deliver features quickly and cheaply, it will inevitably come at the expense of not being able to do something or much in the right way.” Added, Caitlin Johanson, Director of the Application Security Center. of Excellence at Call fire, Provider of cybersecurity advisory services in Westminster, Colorado.

“It’s easy to think that the speed at which new apps and features are delivered to a technology-dependent world can be achieved without omissions,” she told TechNewsWorld.

Dangerous business

There are a myriad of risks that shadow code can pose to your organization. nVisiumAn application security provider based in Falls Church, Virginia.

“One is that the application and the data within it can be completely compromised,” he told TechNewsWorld.

“In addition to technical risks, reputation risks can be catastrophic if an application introduces a vulnerability as a result of an unexamined third-party library,” he continued. ..

If you don’t have visibility into the open source code your organization is using, you may also run into licensing risks.

“Open source components may have limited licenses” ForresterCalieri explained.

“Suddenly, I added a component to my code that needed to open source the entire application,” she continued. “All proprietary code must be open source, which puts the organization at risk.”

Widely used

Osterman researchers have also found that the use of third-party code is widespread throughout the Internet. Almost all respondents (99%) in the survey reported that their website uses at least one third-party script.

Even more obvious is the finding that 80% of the surveyed people say that third-party scripts make up 50-70% of their websites.

“There isn’t much formal research on the spread of shadow code, but because JavaScript is widely used on most websites and the number of JavaScript libraries available is so large, shadow code is very popular. It’s possible, “says Kevin Dunne.President Pass lock, Flemington, NJ, Integrated Access Orchestration Provider

“There are over a million known JavaScript open source projects on GitHub, which presents an insurmountable challenge for security teams to manually review and evaluate,” he told TechNewsWorld.

If a shadow code allows a third party to unknowingly display data on your organization’s site, your organization remains GDPR or CCPA compliant because an unknown data processor is viewing the data privately. He added that he is likely to be at risk of doing so.

“This could impose millions of dollars on organizations needed to maintain this type of data privacy compliance,” he explained.

Shadow code is arguably an increasing issue, a problem that many are unaware of, added Christian Simco, director of product marketing. GrammaTech, A provider of application security test solutions headquartered in Bethesda, Maryland.

“Custom code is shrinking and third-party code usage is increasing,” he told TechNewsWorld. “If you don’t properly manage your code base, you can inadvertently inject vulnerabilities into your software.”

‘Shadow Code’ Creates Risk for 99% of Websites Source link ‘Shadow Code’ Creates Risk for 99% of Websites

Related Articles

Back to top button