Q&A: Experts Weigh in on the Hidden World of Shadow Code

Exploring the Hidden World of Shadow Code

Earlier this month, PerimeterX co-hosted a Tweet Chat with IT Security Guru on the topic of Shadow Code and invited a variety of industry experts including analysts, influencers and executives to weigh in on this little-known threat. The conversation lasted for an hour and delved into the issue from the perspective of DevOps, IT security, e-commerce and beyond. Participants included the following individuals:

Q1: Have you heard the term #ShadowCode before? If yes, what do you understand it to mean?

Carlos: I think of #ShadowCode as the generally overlooked and often unknown third-party or “nested service provider” code that is incorporated into your e-commerce websites without the knowledge of the security team or awareness of its impacts on security, latency or compliance.

Jamie: #ShadowCode is the use of third-party scripts and libraries in a web application. 80% of code used in applications today originates outside an organization. External code, called open-source, provides accelerated value delivery, it also represents a risk to the organization.

Quentyn: #ShadowCode is code that’s been cut and pasted from other third-party locations and may not have been vetted to the same degree as own written code. It doesn’t mean it’s inherently insecure though.

Ameet: Application development today makes extensive use of third-party scripts and open source libraries, which are great for innovation and agility, but the end result is you don’t really know what code is running (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: