The New Battleground is Shadow Code

Businesses across the world are undergoing rapid digital transformation as consumers increasingly shift to online channels. Your website has become your primary headquarters as offices and stores remain closed in many parts of the world. As stewards of this critical resource, you have to balance the need for agility with the security and privacy of your customers’ data. This balancing act has a new twist – Shadow Code.

Web application developers often rely on open source libraries and third-party scripts in order to innovate faster and keep pace with evolving business needs. These third-party scripts in turn call other scripts, creating a digital supply chain of fourth-, fifth- and Nth-party scripts powering your website. According to industry estimates, up to 70% of the scripts on a typical website are third-party. Often introduced without any formal approval process or security validation, these scripts run on the client side, which means traditional monitoring and security tools cannot provide you the full picture. So your application runs code that you never tested or approved, that your monitoring systems cannot see, and that you don’t have the ability to stop if something goes wrong.

This in a nutshell is the Shadow Code problem. Much like Shadow IT which introduces unapproved cloud services and apps into an organization, Shadow Code not only bypasses traditional procurement channels, but also evades policy controls. This makes it very difficult for organizations to maintain a strong security posture, comply with data privacy regulations and pass infosec audits.

So how big is this problem? PerimeterX, in conjunction with Osterman Research, completed the second annual survey of security professionals to uncover the extent and impact of Shadow Code across organizations in a diverse set of industries. The report released today, “Shadow Code: The Hidden Risk to Your Website,” (Read more...)