Businesses are under pressure to digitise – and fast – so software developers are eager to find time-saving tricks. As a result, the use of third-party scripts and open-source code libraries across major websites is on the rise. But this so-called ‘shadow code’ can lead to security flaws finding their way into sensitive systems, leaving businesses and their customers vulnerable to costly data breaches.
What is shadow code?
The pressure to rapidly digitise during the pandemic means more development teams are using other people’s code to deliver rapid results, says David Bicknell, principal analyst at GlobalData who covers cybersecurity. “The situation with Covid-19 and the need to do more business online means that companies that may not have necessarily digitally transformed themselves have now realised that they’ve got to do it,” he says. “Because of this, people are under pressure so they take these ready-made libraries and use the code and that creates a risk.”
Much like shadow IT, where employees use systems that aren’t sanctioned by the central IT department, shadow code can be problematic because it isn’t subject to the necessary security checks and validation, meaning it creates vulnerabilities that can be exploited by criminals, especially if the most up-to-date versions are not deployed. Though many open source libraries, such as jQuery and node.js, have large and active user communities who are likely to spot problems as they arise, other code libraries are not scrutinised or updated as much and as such could be open to attacks from new malware threats.
Despite increased reliance on this code, the vast majority of IT teams say they do not have total oversight of all the scripts running on their websites. Only 8% of security professionals polled by Osterman Research, on behalf of security vendor PerimeterX, said they had complete insight into the code running on their company’s site.
Shadow code risks: skimming attacks and formjacking
Shafir says that while organisations have plenty of controls in place to protect their systems from attacks on the server-side, end-user devices are a different matter. “This security issue is on the client side, on the browser of the end user of the website, so you can’t see it and you can’t block it,” he says. “Thousands or millions of customers are getting these scripts, and the liability [for any breach] is on the vendor.”
The most common types of attack associated with shadow code are digital skimming and formjacking, Shafir says. This is where attackers alter a script so that it redirects customer details to a different site so they can be exploited. “You won’t even know about it because you don’t have full visibility,” he says. “This is the problem with shadow code, you just don’t know if it’s secure or not.”
E-commerce businesses are a regular target for digital skimmers, with Magecart attacks particularly commonplace. Magecart is a consortium of hackers that targets online shopping carts, using compromised third-party software to skim customer data. The group is thought to have been active since 2016, and high-profile victims of Magecart-style attacks in 2020 included Nutribullet and the Warner Music Group.
Guarding against problems caused by shadow code
Using third-party code is not necessarily problematic as long as appropriate checks and procedures are in place, GlobalData’s Bicknell says. “If you put that code in you need a means of being able to check it,” he says. “Otherwise it’s possibly a case of more haste, more expense down the line. People are under pressure to do things quickly and logic dictates that it makes sense to use these third-party libraries. But I think you’ve just got to have internal procedures in place to make sure you don’t cause yourself problems later.”
He says that using approval processes for scripts and libraries, using code analysis and verification tools to detect vulnerabilities and putting a content security policy in place can help avoid or mitigate problems. “That way if you do have issues you can show that you’ve taken steps to protect yourselves,” he says.