Skip to main content

Shadow code places businesses at greater risk of attack

(Image credit: Image source: Shutterstock/McIek)

Using shadow code (third-party scripts and open source libraries) may allow businesses to expedite development processes, but also increases the risk of cyberattack.

This is according to a new report from PerimeterX and Osterman Research, which claims that just eight percent of organizations have complete visibility into the code running on their website, down from ten percent last year.

Speaking to SC Media, Ameet Naik, Security Evangelist at PerimeterX, said the fall is due to the highly dynamic nature of these scripts. Thus, what the analyst sees might differ significantly from what actually runs on a customer’s browser.

For roughly a third of the businesses polled for the report, 40-60 percent of their website scripts are comprised of third-party code. While this is still below the industry standard of 70 percent, it presents a “formidable obstacle” to security.

Solving this issue is also no simple matter, with just one fifth of respondents claiming their teams have full authority to eliminate suspicious code, down from a third last year.

Shadow Code is an unavoidable part of modern web applications. Third-party scripts provide essential, much needed value-added functions such as analytics, chatbots and payment services," explained Naik.

Instead, he believes businesses should take the “trust but verify” approach, using "browser-native tools to perform a first-pass triage of third-party scripts running on their website."