Modern web applications make extensive use of third-party scripts and open source libraries to speed up innovation and be responsive to business needs. Studies show that up to 70% of the scripts running on a typical website are third-party, which in turn call other scripts creating an extensive digital supply chain. These scripts and libraries introduce Shadow Code into the application which alters its security posture and vastly expands the attack surface. The recent succession of digital skimming and Magecart attacks on the client-side of web applications are one such consequence of Shadow Code.
Paradigms like CI/CD, DevOps and DevSecOps enable a faster app development pipeline but make it harder to meet information security standards and data privacy requirements. However, security and innovation do not need to be at odds.
- Shadow Code and the negative impacts to your applications
- Findings from a 2020 Survey on scope and impacts of Shadow Code in web applications
- Strategies to manage Shadow Code risk using a trust but verify model
Ameet Naik, Cybersecurity Evangelist, PerimeterX