Third-Party Code: The Hidden Risks In Your Website
February 10, 2020

Kim DeCarlis
PerimeterX

Share this

Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.

However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.

The Threats

So what are the greatest security threats stemming from third-party code?

Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.

The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.

Decision-Makers' Concerns

As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.

The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.

GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.

Making Business Sense

Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.

Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.

In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.

Understanding Your Scripts

It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.

The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.

Kim DeCarlis is CMO of PerimeterX
Share this

The Latest

May 21, 2020

As cloud computing continues to grow, tech pros say they are increasingly prioritizing areas like hybrid infrastructure management, application performance management (APM), and security management to optimize delivery for the organizations they serve, according to ...

May 20, 2020

Businesses see digital experience as a growing priority and a key to their success, with execution requiring a more integrated approach across development, IT and business users, according to Digital Experiences: Where the Industry Stands ...

May 19, 2020

Fully 90% of those who use observability tooling say those tools are important to their team's software development success, including 39% who say observability tools are very important ...

May 18, 2020

As our production application systems continuously increase in complexity, the challenges of understanding, debugging, and improving them keep growing by orders of magnitude. The practice of Observability addresses both the social and the technological challenges of wrangling complexity and working toward achieving production excellence. New research shows how observable systems and practices are changing the APM landscape ...

May 14, 2020
Digital technologies have enveloped our lives like never before. Be it on the personal or professional front, we have become dependent on the accurate functioning of digital devices and the software running them. The performance of the software is critical in running the components and levers of the new digital ecosystem. And to ensure our digital ecosystem delivers the required outcomes, a robust performance testing strategy should be instituted ...