Third-Party Code: The Hidden Risks In Your Website

Kim DeCarlis
PerimeterX

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX

Related Links

Hot Topics

The Latest

Closing the Gap in Modern Tech and the Tools Meant to Monitor Them

Like most digital transformation shifts, organizations often prioritize productivity and leave security and observability to keep pace. This usually translates to both the mass implementation of new technology and fragmented monitoring and observability (M&O) tooling. In the era of AI and varied cloud architecture, a disparate observability function can be dangerous. IT teams will lack a complete picture of their IT environment, making it harder to diagnose issues while slowing down mean time to resolve (MTTR). In fact, according to recent data from the SolarWinds State of Monitoring & Observability Report, 77% of IT personnel said the lack of visibility across their on-prem and cloud architecture was an issue ...

MEAN TIME TO INSIGHT Podcast - Episode 23: NetOps Labor Shortage

In MEAN TIME TO INSIGHT Episode 23, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses the NetOps labor shortage ... 

Why FinOps Rewrote Its Mission and What It Signals for Technology Management

Technology management is evolving, and in turn, so is the scope of FinOps. The FinOps Foundation recently updated their mission statement from "advancing the people who manage the value of cloud" to "advancing the people who manage the value of technology." This seemingly small change solidifies a larger evolution: FinOps practitioners have organically expanded to be focused on more than just cloud cost optimization. Today, FinOps teams are largely — and quickly — expanding their job descriptions, evolving into a critical function for managing the full value of technology ...

Clearing the Path to AI: Why Vendor Consolidation Matters Now

Enterprises are under pressure to scale AI quickly. Yet despite considerable investment, adoption continues to stall. One of the most overlooked reasons is vendor sprawl ... In reality, no organization deliberately sets out to create sprawling vendor ecosystems. More often, complexity accumulates over time through well-intentioned initiatives, such as enterprise-wide digital transformation efforts, point solutions, or decentralized sourcing strategies ...

Cold Data, Hot Problem: Why AI Is Rewriting Enterprise Storage Strategy

Nearly every conversation about AI eventually circles back to compute. GPUs dominate the headlines while cloud platforms compete for workloads and model benchmarks drive investment decisions. But underneath that noise, a quieter infrastructure challenge is taking shape. The real bottleneck in enterprise AI is not processing power, it is the ability to store, manage and retrieve the relentless volumes of data that AI systems generate, consume and multiply ...

Third-Party Code: The Hidden Risks In Your Website

Kim DeCarlis
PerimeterX

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX

Related Links

Hot Topics

The Latest

Closing the Gap in Modern Tech and the Tools Meant to Monitor Them

Like most digital transformation shifts, organizations often prioritize productivity and leave security and observability to keep pace. This usually translates to both the mass implementation of new technology and fragmented monitoring and observability (M&O) tooling. In the era of AI and varied cloud architecture, a disparate observability function can be dangerous. IT teams will lack a complete picture of their IT environment, making it harder to diagnose issues while slowing down mean time to resolve (MTTR). In fact, according to recent data from the SolarWinds State of Monitoring & Observability Report, 77% of IT personnel said the lack of visibility across their on-prem and cloud architecture was an issue ...

MEAN TIME TO INSIGHT Podcast - Episode 23: NetOps Labor Shortage

In MEAN TIME TO INSIGHT Episode 23, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses the NetOps labor shortage ... 

Why FinOps Rewrote Its Mission and What It Signals for Technology Management

Technology management is evolving, and in turn, so is the scope of FinOps. The FinOps Foundation recently updated their mission statement from "advancing the people who manage the value of cloud" to "advancing the people who manage the value of technology." This seemingly small change solidifies a larger evolution: FinOps practitioners have organically expanded to be focused on more than just cloud cost optimization. Today, FinOps teams are largely — and quickly — expanding their job descriptions, evolving into a critical function for managing the full value of technology ...

Clearing the Path to AI: Why Vendor Consolidation Matters Now

Enterprises are under pressure to scale AI quickly. Yet despite considerable investment, adoption continues to stall. One of the most overlooked reasons is vendor sprawl ... In reality, no organization deliberately sets out to create sprawling vendor ecosystems. More often, complexity accumulates over time through well-intentioned initiatives, such as enterprise-wide digital transformation efforts, point solutions, or decentralized sourcing strategies ...

Cold Data, Hot Problem: Why AI Is Rewriting Enterprise Storage Strategy

Nearly every conversation about AI eventually circles back to compute. GPUs dominate the headlines while cloud platforms compete for workloads and model benchmarks drive investment decisions. But underneath that noise, a quieter infrastructure challenge is taking shape. The real bottleneck in enterprise AI is not processing power, it is the ability to store, manage and retrieve the relentless volumes of data that AI systems generate, consume and multiply ...