Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
First-of-its-Kind Report Sizes Massive "Shadow Code" Risk for World's Largest Businesses
Source Defense announced the results of a study, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties, that for the first time sizes the security, privacy, and compliance risks that are literally designed into the digital supply chains of major business websites. This risk, originating from highly dynamic and unpredictable scripts and code from third parties and beyond, permeates every aspect of a business's web presence. On the whole, this report sheds light on a woefully underestimated risk that most famously resulted in the theft of financial and personal information for more than 400,000 British Airways passengers in 2018, and resulted in the largest fines ever from the British Information Commissioner's Office (ICO).

Organizations collecting sensitive information, enabling business transactions or conducting commerce through their web properties, are under a constant risk of attack. The pace of adversarial activity is only increasing as retail and e-commerce companies enjoy exponential growth, as travel and lodging needs increase post-pandemic, and as healthcare and financial services transactions move more critical and sensitive functions online.

The top line report findings discovered an average of 15 externally generated scripts on each site, with an average of 12 scripts specifically on sensitive pages. Financial services was the most exposed vertical, with nearly 60% more scripts on average resident on sensitive pages, and double the number per page overall, with triple the amount of fourth-party scripts. The data comes from an analysis of 4,300 of the world's largest websites across the most prevalent verticals during the first quarter of 2022 to identify both security and compliance issues lurking within the website digital supply chain. The company mapped the concerning sprawl of third- and fourth-party scripts across each website, on individual pages - including sensitive pages that come in contact with PII, financial data, etc. - and the usage and variance across the most prevalent verticals.

"While retail and credit card breaches grab the most headlines, this is a pervasive and relatively unchecked risk to both security and privacy across all verticals," said Dan Dinnar, CEOof Source Defense. "It's also a fast-growing and extremely volatile issue with regard to sensitive data. Organizations and their digital supply chain partners are constantly updating sites and code, and the data of greatest value to malicious actors is collected on the pages where the business has the greatest need for analytics, tag management, and other tracking and management capabilities."

Extensive libraries of third-party scripts are available free, or at low cost, from a range of communities, organizations, and even individuals, and are extremely popular as they allow development teams to quickly add advanced functionality to applications without the burden of creating and maintaining them. These packages also often contain code from additional parties further removed from - and farther out of the purview of - the deploying organization. Making matters worse, they operate remotely from a server belonging to the third party, to provide everything from social media connections to marketing tracking/analytics. If a script has been compromised, the shadow code comes with it and goes straight to the browser without organizational defenses able to detect it. From there, scripts can exfiltrate data to remote servers, redirect users to malicious websites, or lay the groundwork for formjacking, digital skimming, and credential harvesting attacks.

In analyzing the potential external script threat surface, Source Defense found additional risks including:

  • Nearly half of all sites (49%) had external code present with the ability to retrieve form input and "listen" to user button clicks, and more than one in five sites had external code with the ability to modify forms.
  • On average, one in four of all scripts represented fourth-party code, as did every one in five scripts on individual pages.
  • Per page, analysis found an average of five scripts, with at least one a fourth-party script. The number was much larger on sensitive pages, at an average of 12 external scripts in contact with everything from credentials to account and financial details.
  • The two most exposed verticals were financial services and healthcare, with an average of 16 and 13 third-party scripts, and 6 and 5 fourth-party scripts, respectively. And on sensitive pages, analysis found an average of 19 scripts in financial services and 14 scripts in healthcare.

For more information, please download the Source Defense report.

Published Wednesday, May 25, 2022 10:18 AM by David Marshall
Filed under: ,
Get This Featured White Paper: AIOps Best Practices for IT Teams & Leaders
You may also be interested in this white paper: The Ultimate Guide to AVD
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
DTW-NA
innovatrix
GISEC
vExpert
Calendar
<May 2022>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234