A few days after the busiest Black Friday ever, a credit card fraud team contacts you after cardholders complain about unauthorized purchases. You ask your website team what’s going on. It turns out that during the summer push to finalize web application changes for the big season, one of your developers added code at the last minute to enhance animation effects. Your developer team picked a seemingly reputable open source JavaScript library with many GitHub star ratings and recent code contributions.
What GitHub couldn’t tell them is that the owner of the repository gave code commit access to a new contributor – who happened to be from a criminal card skimming gang. This malicious hacker had inserted obfuscated code that would skim credit card data on any site running the library. By the time your website security team found the attack, hundreds of thousands of customers’ card data had been skimmed.
Criminals had used the cards and password information to sneak in big transactions during the Black Friday rush, knowing you would reduce security restrictions to accommodate the crush of post-COVID shopping. Sadness ensues. Your company will pay millions to remediate this problem, and spend months gaining back customer trust. It’s a Black Friday nightmare, courtesy of Shadow Code.
What is Shadow Code and Why Does it Matter?
This story is hypothetical but all too real. Shadow Code is a growing risk for ecommerce companies as they strive to move faster and innovate more quickly. There are three types of Shadow Code:
- Any internal code that the information security team didn’t approve before it goes into production
- Any third-party service or open source library not reviewed and approved by information security team
- Any code included by your third-party provider that you may not be fully aware of, and hence don’t have the ability to vet and approve before deployment
Today, all major ecommerce websites are built with a significant percentage of third-party JavaScript – sometimes up to 70%. Javascript is used to call in third-party services like Google Analytics for web traffic tracking, Stripe for payments or Twilio for voice and text. Another type of JavaScript is open source libraries that add useful functionality and improve performance for common tasks like formatting dates and times, displaying icons, or adding images.
Both of these types of JavaScript hold security risks. Reviewing the proprietary code that runs the services like Google Analytics or Twilio is impossible. Reviewing code for open source which powers JavaScript libraries is painful and time-consuming. According to a recent study by Osterman Research, only 8% of respondents reported having complete insight into the Shadow Code running on their website.
Shadow Code Is Now A Necessary Evil
For ecommerce websites, which have much higher code turnover than most applications, even reviewing all first-party code is challenging and increasingly requires automation. Developers facing deadlines may insert their own code fixes without running them through all the normal security checks. The Shadow Code risk is also systemic; often the best open source library to accomplish a task has little to no security oversight.
The rub? There is no easy way to know when a bad actor gains access to a code repository and adds malicious code. Nor can you simply trust big names like Twilio, Google Analytics and Braintree. JavaScript created by these companies can be compromised when it is not properly secured, as was the case recently for a Twilio library hosted in publicly accessible storage and distributed broadly across the internet. And to make matters worse, according to the Osterman Research study, only 22% of respondents had the ability to shutdown suspicious scripts on their website.
Holiday 2020 Season Will Be an Epic Test
Ecommerce site operators are rushing to boost capacity and add new features for what will likely be a far busier peak season for ecommerce than ever before due to COVID. Grinchy cybercriminals are increasing attack volume and targeting the client side to escape traditional server-side security provided by web application firewalls.
Elite cyberfraud gangs have expanded attacks to include home goods, cosmetics and fragrances and are now attacking small and mid-sized retailers. More ominous still, so-called Advanced Persistent Threat groups (often sponsored by rogue nations) are mounting their own attacks. For ecommerce companies that are victimized, the cost can easily rise to the millions of dollars and hundreds of hours of staff time.
Keep Shadow Code Grinch Away: Trust but Verify
You cannot block all or even most Shadow Code. This would paralyze development efforts. A more powerful and adaptive approach is to use client-side application security technology that can identify anomalous behavior in any part of a web application and map that behavior back to specific code. This method continuously adapts rather than relying on static security validations.
These Artificial Intelligence-driven application security platforms use machine learning to identify patterns of attacks across different ecommerce sites. The broad scope allows developers to continuously spot and stop Shadow Code exploits in real time. For more crucial parts of infrastructure – such as payment modules and authentication – information security should review the providers of services and libraries, as well as monitor them at runtime.
Recent attacks on payment services have shown that even the most reputable, PCI-compliant services can be compromised. For open source libraries, ecommerce sites should use a software composition analysis service like Snyk to detect and fix vulnerabilities.
Shadow Code effectively solves real problems and accelerates development, which is critical to giving holiday shoppers a stellar experience. That said, the use of Shadow Code has passed a tipping point into the land of the Grinch that could steal ecommerce holiday cheer.
The solution is not to stop all Shadow Code, but to build guardrails that enable your team to develop innovative web applications while detecting and stopping malicious code at runtime. Third-parties can and should be trusted, but their security must be verified empirically at the first sign of anomalous behavior —keeping every customer happy during the all-important holiday crush.
Ameet Naik is a security evangelist at PerimeterX