Shadow code from third-party libraries is a major cybersecurity risk for most web applications, with owners fearful of brand damage and lawsuits
PerimeterX published its report “Shadow Code: The Hidden Risk to Your Website” analyzing the use of third-party scripts on web applications.
The report by Osterman Research noted that most websites use third-party libraries to simplify common functions such as ad tracking, payment integration, chatbots, customer reviews, social media integration. , tag management, among others.
However, these often added third party scripts and open source libraries come with application security risks such as digital skimming and MageCart attacks.
Additionally, most organizations lack code visibility in third-party scripts, while half of website owners cannot confirm that their websites have not been hacked.
Almost all web apps use ghost code, lack visibility
According to the report, 99% of those surveyed said their websites use supply chain vendors or third-party code from vendors who also get code from their partners. Over three-quarters (80%) said third-party scripts made up 50-70% of their website functionality. This exposes most websites to the risks of ghost code.
Additionally, website owners lack visibility into third-party code to verify that their web applications are safe from cyberattack risks. Likewise, nearly half (48%) of survey respondents could not say for sure that their websites had not suffered a cyberattack.
Concerns about cyber attacks
For example, fear of cyber attacks has increased from 45% in 2020 to 61% in 2021, supply chain attacks from 28% to 50%, and MageCart attacks from 47% year over year.
While 37% confirmed that their websites have suffered a cyber attack, 15% do not believe their websites have been breached.
“The percentage of respondents who suspect their website may have been attacked – but lack the visibility to definitively report it – has increased from 40% in 2020 to 48% in 2021,” said Michael Sampson, Senior Analyst at Osterman Research.
Most of those interviewed admitted that they understood the security risks of shadow code. However, only a quarter (25%) performed a security review of script changes, while only a third (34%) were able to automatically detect potential issues with changes to third-party libraries.
“It is imperative that organizations examine how they detect and manage risks to web applications,” Sampson continued. “For the third year in a row, our research continues to shed light on these critical issues for digital businesses. “
Fears of serious consequences
PerimeterX’s report on the third-party ghost code found that respondents were concerned about the serious consequences of client-side data breaches.
Half of them cited brand damage, loss of company reputation, loss of future revenue, and potential lawsuits as huge or major challenges. Obviously, lost revenue could be attributed to reputation damage caused by cyber attacks.
Fear of lawsuits increased from 23% in 2020 to 52% in 2021, while fear of legal fees increased from 26% to 48% during the same period.
Notably, the fear of regulatory and enforcement measures for the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) increased from 32% to 44% and from 37% to 42% between 2020 and 2021, respectively. .
“Lawsuits and legal fees, which were considered the least important in last year’s investigation, are now the fourth and fifth most serious consequences of a data breach,” the researchers wrote. “On the other hand, the fines / application of the CCPA and the GDPR are now the less serious consequences. “
Urgent need to manage ghost code risks
Research revealed that there is an urgent need to address the security risks posed by show code in third-party libraries. Three-quarters (75%) of respondents plan to purchase security solutions to fix vulnerabilities in website scripts within the next 12 months.
“Respondents seem more willing to take active steps to mitigate these risks, with 75% saying they intend to purchase solutions to address website scripting vulnerabilities over the next 12 months,” a Sampson said.
PerimeterX’s Shadow Code Report shows that while some third-party libraries may be popular with development teams, most organizations can’t confirm for sure that they don’t contain risky shadow code that could be exploited by hackers.