Third-Party Code: The Hidden Risks In Your Website
February 10, 2020

Kim DeCarlis
PerimeterX

Share this

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX
Share this

The Latest

November 07, 2024

On average, only 48% of digital initiatives enterprise-wide meet or exceed their business outcome targets according to Gartner's annual global survey of CIOs and technology executives ...

November 06, 2024

Artificial intelligence (AI) is rapidly reshaping industries around the world. From optimizing business processes to unlocking new levels of innovation, AI is a critical driver of success for modern enterprises. As a result, business leaders — from DevOps engineers to CTOs — are under pressure to incorporate AI into their workflows to stay competitive. But the question isn't whether AI should be adopted — it's how ...

November 05, 2024

The mobile app industry continues to grow in size, complexity, and competition. Also not slowing down? Consumer expectations are rising exponentially along with the use of mobile apps. To meet these expectations, mobile teams need to take a comprehensive, holistic approach to their app experience ...

November 04, 2024

Users have become digital hoarders, saving everything they handle, including outdated reports, duplicate files and irrelevant documents that make it difficult to find critical information, slowing down systems and productivity. In digital terms, they have simply shoved the mess off their desks and into the virtual storage bins ...

November 01, 2024

Today we could be witnessing the dawn of a new age in software development, transformed by Artificial Intelligence (AI). But is AI a gateway or a precipice? Is AI in software development transformative, just the latest helpful tool, or a bunch of hype? To help with this assessment, DEVOPSdigest invited experts across the industry to comment on how AI can support the SDLC. In this epic multi-part series to be posted over the next several weeks, DEVOPSdigest will explore the advantages and disadvantages; the current state of maturity and adoption; and how AI will impact the processes, the developers, and the future of software development ...