Supply Chain Software Security and Websites: The Shadow Code Risks Explained
Shadow code, the use of any code in an application without authorization or security validation, represents a “massive” risk for third-party digital supply chains, according to an analysis of 4,300 of the world’s largest websites in the first quarter of 2022 by cybersecurity company Source Defense.
Key takeaways from Source Defense’s analysis included:
- 49 percent of websites had external code present with the ability to retrieve form input and “listen” to end-user button clicks.
- 23 percent of sites had external code with the ability to modify forms.
- On average, websites had 12 third-party scripts and three fourth-party scripts.
- Financial websites had the highest average of third-party scripts (16) and fourth-party scripts (six).
- E-commerce websites had the lowest average of third-party scripts (10) and fourth-party scripts (four).
Managing risk relating to third- and fourth-party website scripts is both “a very necessary and a very challenging task,” Source Defense pointed out. However, organizations can take steps to protect against these scripts and manage client-side application risks, including:
- Perform a Website Analysis: Use website script data to understand total scripts on a site and average scripts per page, scripts on sensitive pages and code on scripts. This gives an organization data it can use to understand what scripts provide unauthorized access.
- Provide Training: Teach employees about the risks associated with third- and fourth-party scripts. Create a training program to show workers how they can reduce and manage client-side application risks or expand an existing third-party risk management program to include this information.
- Address Compliance and Exposure Risks: Determine if compromised scripts can lead to compliance violations or regulatory fines. From here, an organization can determine the best course of action to manage compliance and exposure risks based on industry data security standards.
Third- and fourth-party scripts can inject malicious shadow code into websites, Source Defense indicated. With the right approach, organizations can manage these scripts and guard against the shadow code that can come with them.