Close-up of a man's hand on a laptop keyboard showing use of shadow code

Shadow Code From Third-Party Libraries Is a Major Cybersecurity Risk for Most Web Applications, Owners Afraid of Brand Damage and Lawsuits

PerimeterX published its “Shadow Code: The Hidden Risk to Your Website” report analyzing the use of third-party scripts on web applications.

The report written by Osterman Research noted that most websites use third-party libraries to simplify common functions like ad tracking, payment integration, chatbots, customer reviews, social media integration, tag management, among others.

However, these third-party scripts and open-source libraries often added carry application security risks like digital skimming and MageCart attacks.

Additionally, most organizations lack code visibility into third-party scripts, while half of the website owners cannot confirm that their websites have not been hacked.

Almost all web applications use shadow code, lack visibility

According to the report, 99% of the survey respondents said that their websites use supply chain vendors or third-party code from vendors who also obtain code from their partners. Over three-quarters (80%) said third-party scripts account for 50-70% of their website’s functionality. This exposes most websites to the risks of shadow code.

Additionally, website owners lack visibility into third-party code to verify that their web applications are safe from cyber attack risks. Similarly, nearly half (48%) of the survey respondents could not definitively say that their websites had not suffered a cyber-attack.

Concerns of cyber attacks

PerimeterX found that most (61%) website owners were “significantly concerned” about their websites being hacked, digital skimming (59%), security risks from third-party scripts (58%), easy exploit of client-side third-party scripts like JavaScript libraries (55%), MageCart attacks (51%) and supply chain attacks (50%). Additionally, these concerns increased in 2021 compared to 2020.

For example, the fear of cyberattacks increased from 45% in 2020 to 61% in 2021, supply chain attacks from 28% to 50%, and MageCart attacks by 47% year over year.

While 37% confirmed that their websites suffered a cyberattack, 15% do not think that their websites were breached.

“The percentage of respondents who suspect their website may have been attacked — but lack the visibility to state definitively — grew from 40% in 2020 to 48% in 2021,” said Michael Sampson, senior analyst with Osterman Research.

Most respondents polled admitted that they understood shadow code security risks. However, only a quarter (25%) conducted a security review of script modification while just a third (34%) could automatically detect potential problems from third-party library modifications.

“It’s imperative that organizations review how they detect and manage risks to web applications,” Sampson continued. “For the third straight year, our research continues to shed light on these critical issues for digital businesses.”

Fears of severe consequences

PerimeterX’s report on third-party shadow code found that the respondents were worried about severe consequences from client-side data breaches.

Half of them cited brand damage, loss of corporate reputation, loss of future revenue, and potential lawsuits as huge or major challenges. Evidently, the revenue loss could be attributed to reputational damage caused by cyberattacks.

The fear of lawsuits increased from 23% in 2020 to 52% in 2021, while the fear of legal expenses increased from 26% to 48% in the same period.

Notably, the fear of California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) regulatory and enforcement actions grew from 32% to 44% and 37% to 42% between 2020 and 2021, respectively.

“Lawsuits and legal expenses, which were considered the least important in last year’s survey, are now the fourth and fifth most serious consequences of a data breach,” the researchers wrote. “By contrast, CCPA and GDPR fines/enforcement are now the least serious consequences.”

Urgent need to address shadow code risks

The research found that there was an urgent need to address security risks posed by show code in third-party libraries. Three-quarters (75%) of the respondents plan to purchase security solutions addressing website script vulnerabilities in the next 12 months.

“Respondents seem more willing to take active steps to mitigate these risks, with 75% stating that they intend to purchase solutions to address website script vulnerabilities within the next 12 months,” Sampson said.

PerimeterX’s shadow code report shows that while some third-party libraries may be popular with development teams, most organizations cannot definitively confirm that they do not contain risky shadow code that could be exploited by hackers.