Will Shadow Code Grinch Ecommerce This Holiday Season?

A few days after the busiest Black Friday ever, a credit card fraud team contacts you after cardholders complain about unauthorized purchases. You ask your website team what’s going on. It turns out that during the summer push to finalize web application changes for the big season, one of your developers added code at the last minute to enhance animation effects. Your developer team picked a seemingly reputable open source JavaScript library with many GitHub star ratings and recent code contributions.

What GitHub couldn’t tell them is that the owner of the repository gave code commit access to a new contributor – who happened to be from a criminal card skimming gang. This malicious hacker had inserted obfuscated code that would skim credit card data on any site running the library. By the time your website security team found the attack, hundreds of thousands of customers’ card data had been skimmed.

Criminals had used the cards and password information to sneak in big transactions during the Black Friday rush, knowing you would reduce security restrictions to accommodate the crush of post-COVID shopping. Sadness ensues. Your company will pay millions to remediate this problem, and spend months gaining back customer trust. It’s a Black Friday nightmare, courtesy of Shadow Code.

What is Shadow Code and Why Does it Matter?

This story is hypothetical but all too real. Shadow Code is a growing risk for ecommerce companies as they strive to move faster and innovate more quickly. There are three types of Shadow Code:

Sponsorships Available

Sponsorships Available

Sponsorships Available

• Any internal code that the information security team didn’t approve before it goes into production
• Any third-party service or open source library not reviewed and approved by information security team
• Any code included by your third-party provider that you may not be (Read more...)