Content, Channel partners, Content

Supply Chain Software Security and Websites: The Shadow Code Risks Explained

Credit: Getty Images

Shadow code, the use of any code in an application without authorization or security validation, represents a "massive" risk for third-party digital supply chains, according to an analysis of 4,300 of the world's largest websites in the first quarter of 2022 by cybersecurity company Source Defense.

Key takeaways from Source Defense's analysis included:

  • 49 percent of websites had external code present with the ability to retrieve form input and "listen" to end-user button clicks.
  • 23 percent of sites had external code with the ability to modify forms.
  • On average, websites had 12 third-party scripts and three fourth-party scripts.
  • Financial websites had the highest average of third-party scripts (16) and fourth-party scripts (six).
  • E-commerce websites had the lowest average of third-party scripts (10) and fourth-party scripts (four).

Managing risk relating to third- and fourth-party website scripts is both "a very necessary and a very challenging task," Source Defense pointed out. However, organizations can take steps to protect against these scripts and manage client-side application risks, including:

  • Perform a Website Analysis: Use website script data to understand total scripts on a site and average scripts per page, scripts on sensitive pages and code on scripts. This gives an organization data it can use to understand what scripts provide unauthorized access.
  • Provide Training: Teach employees about the risks associated with third- and fourth-party scripts. Create a training program to show workers how they can reduce and manage client-side application risks or expand an existing third-party risk management program to include this information.
  • Address Compliance and Exposure Risks: Determine if compromised scripts can lead to compliance violations or regulatory fines. From here, an organization can determine the best course of action to manage compliance and exposure risks based on industry data security standards.

Third- and fourth-party scripts can inject malicious shadow code into websites, Source Defense indicated. With the right approach, organizations can manage these scripts and guard against the shadow code that can come with them.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.