Skip to main content

Third-Party Code: The Hidden Risks In Your Website

Kim DeCarlis
PerimeterX

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX

The Latest

According to Auvik's 2025 IT Trends Report, 60% of IT professionals feel at least moderately burned out on the job, with 43% stating that their workload is contributing to work stress. At the same time, many IT professionals are naming AI and machine learning as key areas they'd most like to upskill ...

Businesses that face downtime or outages risk financial and reputational damage, as well as reducing partner, shareholder, and customer trust. One of the major challenges that enterprises face is implementing a robust business continuity plan. What's the solution? The answer may lie in disaster recovery tactics such as truly immutable storage and regular disaster recovery testing ...

IT spending is expected to jump nearly 10% in 2025, and organizations are now facing pressure to manage costs without slowing down critical functions like observability. To meet the challenge, leaders are turning to smarter, more cost effective business strategies. Enter stage right: OpenTelemetry, the missing piece of the puzzle that is no longer just an option but rather a strategic advantage ...

Amidst the threat of cyberhacks and data breaches, companies install several security measures to keep their business safely afloat. These measures aim to protect businesses, employees, and crucial data. Yet, employees perceive them as burdensome. Frustrated with complex logins, slow access, and constant security checks, workers decide to completely bypass all security set-ups ...

Image
Cloudbrink's Personal SASE services provide last-mile acceleration and reduction in latency

In MEAN TIME TO INSIGHT Episode 13, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses hybrid multi-cloud networking strategy ... 

Third-Party Code: The Hidden Risks In Your Website

Kim DeCarlis
PerimeterX

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX

The Latest

According to Auvik's 2025 IT Trends Report, 60% of IT professionals feel at least moderately burned out on the job, with 43% stating that their workload is contributing to work stress. At the same time, many IT professionals are naming AI and machine learning as key areas they'd most like to upskill ...

Businesses that face downtime or outages risk financial and reputational damage, as well as reducing partner, shareholder, and customer trust. One of the major challenges that enterprises face is implementing a robust business continuity plan. What's the solution? The answer may lie in disaster recovery tactics such as truly immutable storage and regular disaster recovery testing ...

IT spending is expected to jump nearly 10% in 2025, and organizations are now facing pressure to manage costs without slowing down critical functions like observability. To meet the challenge, leaders are turning to smarter, more cost effective business strategies. Enter stage right: OpenTelemetry, the missing piece of the puzzle that is no longer just an option but rather a strategic advantage ...

Amidst the threat of cyberhacks and data breaches, companies install several security measures to keep their business safely afloat. These measures aim to protect businesses, employees, and crucial data. Yet, employees perceive them as burdensome. Frustrated with complex logins, slow access, and constant security checks, workers decide to completely bypass all security set-ups ...

Image
Cloudbrink's Personal SASE services provide last-mile acceleration and reduction in latency

In MEAN TIME TO INSIGHT Episode 13, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses hybrid multi-cloud networking strategy ...