Companies often use third-party scripts or open-source libraries to speed up their development processes. This type of code is called Shadow Code and is very useful in open innovation, among other functions. However, it increases the risk of vulnerability to cyberattacks.
In a new report published by Osterman Research and PerimeterX, the percentage of organizations with complete visibility into their code is now 8%, compared to 10%, last year.
Ameet Naik, the Security Evangelist at PerimeterX said that the fall is because of the dynamic nature of scripts. The analyst might see something different from what runs on the customer’s browser.
Security becomes harder
About a third of the organizations and businesses that participated in the study, 40-60% of their website scripts are made up of third-party code. The industry standard says you can include up to 70%. Even though these numbers are below the set standard, they become an obstacle when enforcing security.
Solving problems is not simple. 1 out of 5 of the respondents said that their teams have full authority to remove any code they deem suspicious. That leaves 4 out of 5 businesses with no transparent security enforcement when it comes to third-party code.
Trust by verifying
Granted, shadow code is an inextricable part of modern web app development. Third-party scripts provide the essential and valuable functions used in analytics, chatbots, and payment services. The businesses can take a different approach where they trust third-party code by verifying that it is safe.
The approach of verifying would involve using browser-native tools that can put the code to the test. By testing the code, the organizations can know for sure that they have a secure system.
If they opt not to perform these checks, they could be opening themselves up to a whole world of trouble, in case cyberattackers identify vulnerabilities.