New Report Shows Lack of Security Confidence in Addressing the Hidden Risks of Shadow Code, Putting Organizations at High Risk of Attack

SAN MATEO, Calif., August 11, 2020 – – PerimeterX, the leading provider of application security solutions that keep digital businesses safe, today released “Shadow Code: The Hidden Risk to Your Website.” This second annual survey of security professionals uncovers the extent and impact of third-party scripts and open-source libraries used in web applications across organizations.

These third-party scripts and script libraries – collectively referred to as ”Shadow Code” – are a growing security risk as organizations rely on them to increase the pace of digital transformation. Similar to Shadow IT, where employees use cloud services and software that is not approved, monitored or supported by Corporate IT, Shadow Code includes any code introduced into a website or web application without approval or security validation. Shadow Code can be legitimate third-party services such as payment scripts, chatbots or analytics scripts, but can also include malicious scripts injected by hackers, as well as misconfiguration that results in outdated or vulnerable scripts used in production applications that handle sensitive user data.

AWS Builder Community Hub

Conducted with Osterman Research, a leading market research firm, the survey found that Shadow Code remains a blind spot for most information security teams, and trust is eroding. Only 8% of respondents reported that they have complete insight into the Shadow Code that is currently running on their websites. This is down from 10% in 2019. More than 30% of respondents reported that they do not trust the providers of their third-party scripts. This mistrust in third-party providers has increased by 77% since 2019.

“As organizations increasingly rely on digital channels and online interactions, Shadow Code is the new normal as businesses prepare for a holiday shopping season like no other.  Far from being a simple technical issue, Shadow Code has serious bottom-line implications. As the website owner, you are responsible for protecting user data on your website and are subject to increasing data privacy regulations such as CCPA. It is imperative to put processes and solutions in place that preserve the agility provided by third-party code and open source libraries, while managing the risks they introduce using a trust-but-verify model,” said Kim DeCarlis, CMO, PerimeterX.

Key findings of the report also include:

  • An average of 38% of respondents knew for a fact that their corporate websites had been hacked, and another 40% suspected they had been hacked.
  • Most don’t believe that their web properties are secure: only 30% of survey respondents affirm that their externally-facing web properties are completely secure from threats like Magecart attacks, down from about 40% in the 2019 survey.
  • Over 30% of respondents reported that anywhere from 40% to 60% of their website scripts are third-party. This is lower than the industry estimate of 70% percent being third-party scripts.
  • Only 22% of the respondents indicated that they or their teams have the full authority to shut down any suspicious script that they might find running on their website. This is down from 32% in 2019.
  • Compliance with data privacy regulations such as CCPA remains low. Only 30% of survey respondents reported that their externally facing web properties are secure and thus compliant with data privacy regulations.
  • The stakes remain high – half of all respondents believed that job terminations would be a likely consequence following a data breach.

The COVID-19 pandemic has also impacted adoption of web security solutions. When those knowledgeable about how their websites operate were asked about the anticipated time frame for deploying web security solutions, they reported significant delays. Currently 34% of respondents have deployed solutions to address the Shadow Code risk. However, had the pandemic and the associated lockdowns and slowdowns not occurred, this number would have been much higher, estimated by respondents at 47%. This means that 28% of organizations that wanted to protect their web applications have been unable to do so due to COVID-19.

“Modern websites and web applications will continue to leverage third-party scripts and libraries to innovate more quickly. However, our survey shows that while many organizations are improving their ability to address the problems inherent in Shadow Code by deploying the appropriate technologies and vetting third-party sources, trust in the digital supply chain remains low. Organizations must balance the agility of using third-party scripts and libraries with effective visibility and security controls to ensure they can reduce the risk of data breaches and comply with regulations,” said Michael Osterman, principal analyst of Osterman Research.

The survey was conducted during May and June 2020 with a total of 503 organizations in the United States across e-commerce, financial services, travel and hospitality, media and entertainment, gaming/online media and delivery services segments. For more information, read the full report.

About PerimeterX

PerimeterX is the leading provider of application security solutions that keep digital businesses safe. Delivered as a service, the company’s Bot Defender, Code Defender and Page Defender solutions detect risks to your web applications and proactively manage them, freeing you to focus on growth and innovation. The world’s largest and most reputable websites and mobile applications count on PerimeterX to safeguard their consumers’ digital experience. PerimeterX is headquartered in San Mateo, California and at