Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

“It was a dark and stormy night…” While this introduction works for spooky stories, no developer wants their app to become nightmare fuel. While you might be able to grab a flashlight to comfort yourself around a campfire, you don’t have the same protection when you’re working on an application. Increasingly, developers use third-party code that presents a security threat. Since developers primarily focus on the application’s core functionality, they may not realize these risky code snippets exist. 

To improve your app’s security, you can shed light on shadow code with continuous source code scanning and vulnerability prioritization. 

What is Shadow Code?

Shadow code consists of the unapproved or unauthorized scripts embedded in third-party code and libraries that developers unknowingly integrate into their software. Shadow code creates security and compliance risks. Since developers don’t realize their source code contains these snippets, they may not identify vulnerabilities that attackers can exploit. 

Shadow code leaves applications vulnerable to various threats, including:

  • Malicious code injection
  • Website defacement
  • Data exfiltration
  • Script attacks
  • SQL injections
  • Clickjacking
  • Sideloading
  • Cross-site scripting

For example, the Magecart attacks arose from vulnerable third-party JavaScipt shadow code executing on the client-side that attackers exploited, enabling them to collect sensitive data every time customers entered data.

Threats Hiding in the Shadows

Shadow code isn’t new. Developers have almost always used previously developed code to help them incorporate useful functionalities into their software and apps. In some cases, they include this code because it speeds up time-to-market. In other cases, the third-party code may work better with previously existing components. 

The explosion of open-source third-party components changes shadow code’s impact on an application’s security. For example, research estimates that any given piece of modern software consists of 70%-90% Free and Open Source Software (FOSS). 

Developers don’t need to stop using third-party code. However, they do need to identify potentially dangerous vulnerabilities and implement appropriate security measures. 

Fourth-party scripts and beyond

When an application calls a third-party script, it executes directly from the third-party’s web server. Loaded into the user’s browser, the malicious code executes from the third-party’s remote server, meaning it can bypass traditional security protections. 

If threat actors insert malicious code into the third-party script, they can successfully:

  • Exfiltrate data to remote servers they control
  • Redirect users to malicious websites 
  • Harvest credentials
  • Deploy digital skimming attacks

Code libraries

The code supply chain is analogous to the business supply chain. Nearly every developer includes third-party code scripts, including the developers of the script that you’re using. The further away from the original developer you are, the harder it becomes to trace the original script.