Skip to main content

Shadow code places businesses at greater risk of attack

(Image credit: Image source: Shutterstock/McIek)

Using shadow code (third-party scripts and open source libraries) may allow businesses to expedite development processes, but also increases the risk of cyberattack.

This is according to a new report from PerimeterX and Osterman Research, which claims that just eight percent of organizations have complete visibility into the code running on their website, down from ten percent last year.

Speaking to SC Media (opens in new tab), Ameet Naik, Security Evangelist at PerimeterX, said the fall is due to the highly dynamic nature of these scripts. Thus, what the analyst sees might differ significantly from what actually runs on a customer’s browser.

For roughly a third of the businesses polled for the report, 40-60 percent of their website scripts are comprised of third-party code. While this is still below the industry standard of 70 percent, it presents a “formidable obstacle” to security.

Solving this issue is also no simple matter, with just one fifth of respondents claiming their teams have full authority to eliminate suspicious code, down from a third last year.

Shadow Code (opens in new tab) is an unavoidable part of modern web applications. Third-party scripts provide essential, much needed value-added functions such as analytics, chatbots and payment services," explained Naik.

Instead, he believes businesses should take the “trust but verify” approach, using "browser-native tools to perform a first-pass triage of third-party scripts running on their website."

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.