Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

“It was a dark and stormy night…” While this introduction works for spooky stories, no developer wants their app to become nightmare fuel. While you might be able to grab a flashlight to comfort yourself around a campfire, you don’t have the same protection when you’re working on an application. Increasingly, developers use third-party code that presents a security threat. Since developers primarily focus on the application’s core functionality, they may not realize these risky code snippets exist. 

To improve your app’s security, you can shed light on shadow code with continuous source code scanning and vulnerability prioritization. 

What is Shadow Code?

Shadow code consists of the unapproved or unauthorized scripts embedded in third-party code and libraries that developers unknowingly integrate into their software. Shadow code creates security and compliance risks. Since developers don’t realize their source code contains these snippets, they may not identify vulnerabilities that attackers can exploit. 

Shadow code leaves applications vulnerable to various threats, including:

  • Malicious code injection
  • Website defacement
  • Data exfiltration
  • Script attacks
  • SQL injections
  • Clickjacking
  • Sideloading
  • Cross-site scripting

For example, the Magecart attacks arose from vulnerable third-party JavaScipt shadow code executing on the client-side that attackers exploited, enabling them to collect sensitive data every time customers entered data.

Threats Hiding in the Shadows

Shadow code isn’t new. Developers have almost always used previously developed code to help them incorporate useful functionalities into their software and apps. In some cases, they include this code because it speeds up time-to-market. In other cases, the third-party code may work better with previously existing components. 

The explosion of open-source third-party components changes shadow code’s impact on an application’s security. For example, research estimates that any given piece of modern software consists of 70%-90% Free and Open Source Software (FOSS). 

Developers don’t need to stop using third-party code. However, they do need to identify potentially dangerous vulnerabilities and implement appropriate security measures. 

Fourth-party scripts and beyond

When an application calls a third-party script, it executes directly from the third-party’s web server. Loaded into the user’s browser, the malicious code executes from the third-party’s remote server, meaning it can bypass traditional security protections. 

If threat actors insert malicious code into the third-party script, they can successfully:

  • Exfiltrate data to remote servers they control
  • Redirect users to malicious websites 
  • Harvest credentials
  • Deploy digital skimming attacks

Code libraries

The code supply chain is analogous to the business supply chain. Nearly every developer includes third-party code scripts, including the developers of the script that you’re using. The further away from the original developer you are, the harder it becomes to trace the original script.

For example, Developer A uses code from the repository “FreeStuff.” Meanwhile, the “FreeStuff” developer incorporated code from the repository “TotallyFreeCode.” However, for Developer A, the code from “TotallyFreeCode” is a difficult to discover fourth-party script. 

Over time, identifying the original script may be nearly impossible. However, it can still contain a vulnerability that attackers can exploit. 

Get Out of the Shadow (Code)

You don’t have to stop using third-party scripts or libraries, but you should have processes and tools to help you secure your source code. 

Start with Trusted Sources

You can’t stop threat actors from poisoning the code supply stream. However, you should start by vetting all third-party libraries and sources. When reviewing sources, you should look at:

  • Package age and revision history
  • Author’s reputation
  • Number of clones and forks
  • Number of CVEs and resolution times
  • Number of dependencies

Identify All Components

You can’t protect your app against shadow code if you don’t know what you’re using. The lack of visibility across these integrated components is a fundamental reason that the Cybersecurity and Infrastructure Security Agency (CISA) requires a Software Bill of Materials (SBOM) as part of its “Secure Software Self-Attestation Common Form” and “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default” publications. 

Identify All Dependencies

To mitigate risks arising from the additional code sources your third-party components rely on, you should identify all dependencies across your source code. For example, you should look for dependencies across:

  • User inputs
  • Log files
  • Databases
  • Custom code
  • Open-source libraries
  • Software Development Kits (SDKs)
  • Application Programming Interfaces (APIs)
  • Microservices

Automate Vulnerability Scans

You should regularly scan your source code to identify any vulnerabilities across your third-party components and their dependencies. By automating this process, you more accurately identify threats and ship secure applications faster.

Prioritize Remediation Around Reachability

A vulnerability’s existence isn’t always a high priority. You need to know whether attackers can exploit that vulnerability within the context of your source code. With visibility into this reachability, you can reduce the number of vulnerability tickets while speeding time-to-market. 

Qwiet AI: The Light Uncovering Shadow Code

With Qwiet AI’s preZero platform, you can scan millions of lines of code in minutes for visibility into all components, dependencies, and reachable vulnerabilities. Our platform quickly returns accurate and detailed findings while significantly reducing false positives. With our Code Property Graph (CPG), you gain a holistic view of your code, including data flows across the application, to quickly determine reachability and risk impact. 

 

Take our preZero platform for a free spin to see how Qwiet AI can help you identify shadow code. 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

AppSec DevOps
January 30, 2024 4 min to read

Handling Session Management in Web Applications

Back in 1893, the Lizzie Borden murders, where the Massachusetts woman was accused of killing both her parents with an ax, captivated the public and news media. Eventually found not guilty, one fundamental question perplexed police officers and the jury. Every door inside the Borden house had its own lock and corresponding key, an attempt […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers
January 16, 2024 4 min to read

Paying Off Your Loans: Technical Debt and Security Debt i...

Whether it’s school or car loans, you know that paying off your debt makes your life easier. It can improve your credit score, giving you more financial security. As a developer, you may also suffer from technical debt that impacts your application’s security. In a world where time to delivery is critical, you may make […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers DevOps Engineering
January 11, 2024 4 min to read

Understanding and Implementing HTTPS Strict Transport Sec...

Introduction Within the cascading bytes and bits of digital communications, developers forge pathways of data, threading information through the vast expanse of the internet. However, threats lurking within these pathways seek to intercept, manipulate, and exploit this data. This article ventures into HTTPS and Strict Transport Security (HSTS), offering developers a guide to comprehend, implement, […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
March 15, 2022 7 min to read

Secure Software Summit: The State of OSS Supply Chain Sec...

  The Open Source Software (OSS) Supply Chain is under attack. As evidenced by the recent Log4Shell vulnerability, the OSS supply chain is increasingly a focus for attackers seeking to exploit weak links in security. A number of research reports have recorded a significant increase in so-called “next-gen software supply chain attacks” over the past […]

READ MORE
Cybersecurity
December 1, 2021 5 min to read

Keeping the wrench out of the gears: 5 tips for achieving...

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In