In the fast-paced world of web development, staying ahead of the curve is paramount, as developers are frequently under pressure to deliver products and functionalities quickly and efficiently. To meet accelerated timelines, they often leverage third-party scripts and open-source libraries, expediting the development process and enhancing the application’s functionality. However, this practice is not without its risks.
One such risk is the introduction of “Shadow Code” into their applications. Shadow Code exposes applications to numerous unknown risks, making it challenging for businesses to ensure data security, privacy, and compliance with regulations like PCI DSS and the GDPR. As organizations continue to modernize their operations, understanding and managing Shadow Code has become a top priority.
What is Shadow Code?
Shadow Code is essentially any piece of code that is incorporated into an application without going through the proper channels of scrutiny and approval by the security team and/or IT department. The term is derived from “Shadow IT”, which refers to the use of unapproved IT software, services, and devices to facilitate business operations. It is also reminiscent of Shadow APIs, unauthorized or unmanaged APIs that operate without official approval or oversight within an organization.
As a result of the focus on speed, productivity, and innovation during the development process, the introduction of scripts and code into applications is often done without a formal review and approval process. For instance, a developer might find a useful piece of JavaScript on GitHub that speeds up a certain process or adds a desirable feature to the website. They incorporate this code into the application, bypassing the normal review and approval process. This is a classic example of Shadow Code.
What are the risks associated with Shadow Code?
The primary risk associated with Shadow Code lies in its unknown nature. Since it hasn’t been properly vetted, there’s no guarantee that it’s secure or that it doesn’t contain hidden malicious functionality. Even if all of your third-party code has been reviewed and approved, how would you know if a familiar service has been compromised after its review and approval?
Amongst the many unknown threats associated with it, Shadow Code exposes applications to malicious code injections, website defacement, data exfiltration, script attacks, SQL injections, ad injections, clickjacking, sideloading, and cross-site scripting.
Shadow Code can have dire consequences for an organization, potentially resulting in substantial data breaches, with digital skimming and Magecart attacks emerging as direct outcomes hidden within it. These attacks work by injecting JavaScript into first-party code or the code of third-party services used on legitimate websites. Due to the nature of JavaScript executing on the client-side, it enables attackers to collect sensitive personal information directly from the client every time a customer enters their information into a site.
PCI DSS recently introduced new requirements around application security that directly relates to the risks associated with Shadow Code. It emphasizes the significance of its requirements by addressing potential risks associated with scripts loaded and executed on payment pages. Acknowledging that it can lead to malicious script execution and data exfiltration, the requirement goes into detail on how scripts on payment pages should be managed.
It’s not just financial regulations such as PCI DSS that outline requirements for protecting data. Data privacy regulations such as the Global Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD) are all relevant too. These impose strict data protection and privacy requirements on digital businesses to safeguard individuals’ privacy and control over their data in digital environments. The introduction of Shadow Codes can make it difficult for organizations to ensure they are always in compliance with these regulations.
How to reduce the risks associated with Shadow Code
Reviewing and verifying the security, compatibility, compliance, and absence of malicious intent in code is crucial for a formidable application security posture. To do so, establish a formal process for script review, integrity assurance, and approval. This is essential in managing the risks associated with Shadow Code.
The first step is to inventory all third-party scripts used in your applications and establish a method of notifying your security team whenever a new script is added and requires review.
Next, you should schedule timely reviews of all code, to reduce the risk that any of it has been compromised after its initial review.
When it comes to enforcement, you can make use of HTTP Content-Security-Policy headers. These can help limit which data sources are allowed by a web application, by defining the appropriate CSP directive in the HTTP response header. Bear in mind that while CSP headers offer valuable security benefits, their enforcement and maintenance are intricate due to the nuanced balance between security, functionality, and the diverse nature of web applications within an organization.
To streamline this process, consider investing in an application security solution that offers client-side protection capabilities. Such solutions provide visibility into third-party scripts through continuous discovery and monitoring, as well as alerting whenever new scripts that require review and approval have been discovered. They can also provide you with the ability to easily approve and block any scripts from executing. More advanced solutions can also provide you with visibility into script changes and scripts brought in through the software supply chain, as well as include AI capabilities that can review code and explain what it does. This saves precious time that your security team can be spending on other projects.
Shedding light on Shadow Code with Imperva
Understanding, identifying, and managing Shadow Code is crucial in today’s digital landscape. By taking proactive measures, businesses can ensure they continue to innovate rapidly without compromising on security.
Imperva Client-Side Protection is designed to help you manage the risks associated with Shadow Code. It provides continuous monitoring for new JavaScript services, giving your security team visibility and control over any third-party code embedded in your web applications.
Client-Side Protection also provides actionable insights to your security team, helping them make informed decisions about the nature of each service and whether it should be allowed to run. It uses AI to provide security teams with information about what each script is doing without having to read the script code. And if any JavaScript code is compromised and attempts to send data elsewhere, your security team is the first to know.
By providing clear visibility, actionable insights, and easy controls, it empowers your security team to effortlessly secure your website supply chain and maintain compliance with data privacy regulations, including those set in the latest version of PCI DSS.
Try Imperva for Free
Protect your business for 30 days on Imperva.