Managing the Risks of Third-party Code in the Digital Supply Chain

Risks and Rewards of Shadow Code

Nearly all websites include open-source script libraries and third-party add-ons that provide user-friendly functionality. Dubbed shadow code, most digital businesses don’t have complete visibility into the third-party scripts on their sites. This can leave website owners blind to security vulnerabilities that cybercriminals can exploit in client-side supply chain attacks, such as Magecart and digital skimming, personally identifiable information (PII) harvesting and formjacking attacks.

Despite this, 70% of a typical website’s client-side code is third-party. Developers leverage this external code for functionalities like font delivery, payment processing and customer login because it saves significant time and resources. Marketing also gets into the third-party game by adding tracking tools, chatbots, and other applications that enhance user experience.

Third-party code is necessary for businesses to stay relevant in a quickly changing and expanding digital world, but they can also open the door to major security issues. In fact, 92% of website decision makers say they don’t have complete visibility into this code on their sites. Read on to learn why this is good news for fraudsters.

Fraudsters Like Blind Spots

Throughout the years, the architecture of modern websites has fundamentally changed. Back in the day, the browser was simply a tool for viewing a website’s data. Rendering was done on the server side, so by securing their own infrastructure, companies could offer a safe, albeit slow, user experience. Fast forward ten years and things have flipped. The advent of Dynamic JavaScript allows for caching, and browsers can render code themselves, which provides a faster and more engaging user experience. But because so much of the code on a modern website is written and maintained elsewhere, website owners can’t see it. Open-source libraries and third-party applications are served through their own networks, causing security blind spots that fraudsters are more than happy to exploit.

Third-party applications are a good example of software supply chain blind spots. A digital business can use an app from a trusted third party, but that application might rely on a fourth or even a fifth party to add functionality to it. This elongates the supply chain and opens website owners to vulnerabilities in every external link. This means that if a hacker infiltrates a library or a technology that’s a component of the third party, every site using it could be compromised.

Recently, a CDN JavaScript library that’s used by almost 13% of all websites reported a security weakness that could have compromised all of their users. A similar event occurred in the Spring of 2021 when a vulnerability in the Homebrew Cask repository was reported. As fraudsters become more sophisticated and creative, it isn’t a matter of if vulnerabilities like these will lead to a major data breach, but when.

The Blame Game

Even if a data breach occurs via an open-source library or a third-party application, the website where data is stolen from is responsible for lost data. When users’ login credentials, card numbers or social security numbers are sold on the dark web, they aren’t going to know anything about the third party that was originally hacked, but they will know if they made a purchase on a compromised site. Given that, nearly 60% of consumers say they won’t buy from a website that has been breached in the prior 12 months, which is a complex problem for digital businesses.

The other issue that breached sites need to worry about is payment card industry (PCI) compliance and data privacy regulations. The California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) were passed to safeguard consumer privacy and provide data protection. If digital businesses aren’t fully compliant, they are breaking the law and will be subject to fines.

Reconciling Third Parties and Website Security

Although open-source libraries and third-party applications cause headaches, writing them off isn’t an option. The flexibility they provide to developers and the benefits they add to user experience are too valuable. Instead, digital businesses must add security tools that will protect their customers and themselves.

A multi-layered approach to client-side security is key or fundamental to assure protection. Web application firewalls (WAFs) protect against malicious HTTP requests, and content security policy (CSP) acts as an in-browser firewall. Both of these tools are important, but neither provides visibility into how client-side rendered JavaScript operates in the browser, nor protects against malicious or unwanted behavior. HUMAN partners with Lumen to protect applications at the edge, with granular insight into third parties that dynamically load at run time. Learn more about how third-party scripts are leaving your website vulnerable here.