Nearly half of US website owners have so little insight into third-party code that they can’t say definitively if their site has suffered a cyber breach, according to new research from PerimeterX.
The web app security vendor polled 501 organizations across multiple verticals to compile its latest report, Shadow Code: The Hidden Risk to Your Website.
According to the vendor, the challenge for these firms is the extensive use of third-party sources for code, many of which obtain their code in turn from other third parties.
It claimed that 99% of firms use this extensive software supply chain for web functionality, including ad tracking, payments, customer reviews, chatbots, tag management, social media integration, and helper libraries that simplify common functions.
What’s more, almost 80% of respondents said that these third-party scripts and open source libraries account for 50-70% of the capability in their website.
The organizations polled recognized the potential risks involved in severe attacks on their web infrastructure, citing damage to brand and corporate reputation, loss of future revenue and potential lawsuits as potentially “huge” or “major” problems.
However, 48% could not say whether their site had been attacked, up from 40% in 2020.
PerimeterX argued that shadow code — scripts and libraries added without IT oversight or security vetting — is a challenge that could introduce hidden risks to the organization.
Although respondents claimed to understand shadow code, only a quarter (25%) said they perform a security review for every script modification, and only a third (33%) automatically detect potential problems.
“While awareness is growing about the consequences of successful cyber-attacks and most organizations claim to have addressed the risks of shadow code, digging deeper into our survey responses shows there is a false sense of security,” argued Brian Uffelman, VP and security evangelist at PerimeterX.
“Organizational security review processes are insufficient, capabilities to automatically detect changes have low adoption, and other means of assessing threats from code vulnerabilities are not up to the task.”
A report from Sonatype last week claimed that software supply chain attacks have surged 650% in just a year as threat actors inject vulnerabilities into upstream open source projects.