Risks and Rewards of Shadow Code
Nearly all websites include open-source script libraries and third-party add-ons that provide user-friendly functionality. Dubbed shadow code, most digital businesses don’t have complete visibility into the third-party scripts on their sites. This can leave website owners blind to security vulnerabilities that cybercriminals can exploit in client-side supply chain attacks, such as Magecart and digital skimming, personally identifiable information (PII) harvesting and formjacking attacks.
Despite this, 70% of a typical website’s client-side code is third-party. Developers leverage this external code for functionalities like font delivery, payment processing and customer login because it saves significant time and resources. Marketing also gets into the third-party game by adding tracking tools, chatbots, and other applications that enhance user experience.
Third-party code is necessary for businesses to stay relevant in a quickly changing and expanding digital world, but they can also open the door to major security issues. In fact, 92% of website decision makers say they don’t have complete visibility into this code on their sites. Read on to learn why this is good news for fraudsters.
Fraudsters Like Blind Spots
Third-party applications are a good example of software supply chain blind spots. A digital business can use an app from a trusted third party, but that application might rely on a fourth or even a fifth party to add functionality to it. This elongates the supply chain and opens website owners to vulnerabilities in every external link. This means that if a hacker infiltrates a library or a technology that’s a component of the third party, every site using it could be compromised.
The Blame Game
Even if a data breach occurs via an open-source library or a third-party application, the website where data is stolen from is responsible for lost data. When users’ login credentials, card numbers or social security numbers are sold on the dark web, they aren’t going to know anything about the third party that was originally hacked, but they will know if they made a purchase on a compromised site. Given that, nearly 60% of consumers say they won’t buy from a website that has been breached in the prior 12 months, which is a complex problem for digital businesses.
The other issue that breached sites need to worry about is payment card industry (PCI) compliance and data privacy regulations. The California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) were passed to safeguard consumer privacy and provide data protection. If digital businesses aren’t fully compliant, they are breaking the law and will be subject to fines.
Reconciling Third Parties and Website Security
Although open-source libraries and third-party applications cause headaches, writing them off isn’t an option. The flexibility they provide to developers and the benefits they add to user experience are too valuable. Instead, digital businesses must add security tools that will protect their customers and themselves.