Sign up for our newsletter - Navigating the horizon of business technology​
Cybersecurity / Supply chain

The rise of ‘shadow code’ leaves websites vulnerable to data breaches

Using third-party code can aid swift digital transformation but, unless properly governed, it can open the door for security flaws.

Businesses are under pressure to digitise – and fast – so software developers are eager to find time-saving tricks. As a result, the use of third-party scripts and open-source code libraries across major websites is on the rise. But this so-called ‘shadow code’ can lead to security flaws finding their way into sensitive systems, leaving businesses and their customers vulnerable to costly data breaches.

Shadow code
Shadow code is a growing threat to businesses. (Photo by Martino Pietropoli/Unsplash)

What is shadow code?

‘Shadow code’ refers to the practice of developers including third-party code in their applications. The most common sources of shadow code are JavaScript libraries, such as JQuery or node.js, which contain common functions required to run websites.

The pressure to rapidly digitise during the pandemic means more development teams are using other people’s code to deliver rapid results, says David Bicknell, principal analyst at GlobalData who covers cybersecurity. “The situation with Covid-19 and the need to do more business online means that companies that may not have necessarily digitally transformed themselves have now realised that they’ve got to do it,” he says. “Because of this, people are under pressure so they take these ready-made libraries and use the code and that creates a risk.”

Much like shadow IT, where employees use systems that aren’t sanctioned by the central IT department, shadow code can be problematic because it isn’t subject to the necessary security checks and validation, meaning it creates vulnerabilities that can be exploited by criminals, especially if the most up-to-date versions are not deployed. Though many open source libraries, such as jQuery and node.js, have large and active user communities who are likely to spot problems as they arise, other code libraries are not scrutinised or updated as much and as such could be open to attacks from new malware threats.

A problem with third-party JavaScript is thought to have led to a high-profile data breach at British Airways, which was hit with a record fine of £183m, reduced to £20m, by the Information Commissioner’s Office as a result of the incident, which saw details of 400,000 customers leaked. “We might see more examples like this in the race to get digital transformation done,” Bicknell says.

[Keep up with Tech Monitor: Subscribe to our weekly newsletter]

The rise of shadow code

Web applications increasingly run in the end user’s browser through JavaScript code. Because of this, the volume of code requested by the user’s computer has shot up over the past decade. According to Httparchive, which collates information from millions of websites, the average amount of JavaScript data requested by a webpage in December 2020 was 448kb, up 406% since 2011. The figure is 414kb for mobile devices, up 690% in the same period.

Despite increased reliance on this code, the vast majority of IT teams say they do not have total oversight of all the scripts running on their websites. Only 8% of security professionals polled by Osterman Research, on behalf of security vendor PerimeterX, said they had complete insight into the code running on their company’s site.

Shadow code risks: skimming attacks and formjacking

Developers typically use third-party JavaScript for common functions such as an online shopping cart or payment process, says Avishai Shafir, director of product management at PerimeterX. “It can be in order to collect analytics for marketing, provide users with nice graphics, or enable payment,” he says. “The problem is that because you didn’t write this code and you didn’t check it for security, so you are potentially putting vulnerabilities into your environment.”

Shafir says that while organisations have plenty of controls in place to protect their systems from attacks on the server-side, end-user devices are a different matter. “This security issue is on the client side, on the browser of the end user of the website, so you can’t see it and you can’t block it,” he says. “Thousands or millions of customers are getting these scripts, and the liability [for any breach] is on the vendor.”

The most common types of attack associated with shadow code are digital skimming and formjacking, Shafir says. This is where attackers alter a script so that it redirects customer details to a different site so they can be exploited. “You won’t even know about it because you don’t have full visibility,” he says. “This is the problem with shadow code, you just don’t know if it’s secure or not.”

E-commerce businesses are a regular target for digital skimmers, with Magecart attacks particularly commonplace. Magecart is a consortium of hackers that targets online shopping carts, using compromised third-party software to skim customer data. The group is thought to have been active since 2016, and high-profile victims of Magecart-style attacks in 2020 included Nutribullet and the Warner Music Group.

Guarding against problems caused by shadow code

Using third-party code is not necessarily problematic as long as appropriate checks and procedures are in place, GlobalData’s Bicknell says. “If you put that code in you need a means of being able to check it,” he says. “Otherwise it’s possibly a case of more haste, more expense down the line. People are under pressure to do things quickly and logic dictates that it makes sense to use these third-party libraries. But I think you’ve just got to have internal procedures in place to make sure you don’t cause yourself problems later.”

He says that using approval processes for scripts and libraries, using code analysis and verification tools to detect vulnerabilities and putting a content security policy in place can help avoid or mitigate problems. “That way if you do have issues you can show that you’ve taken steps to protect yourselves,” he says.

Matthew Gooding

Matthew Gooding

Senior reporter

Matthew Gooding is a senior reporter on Tech Monitor.