In the latest IT Security Guru Tweet chat, we were joined by PerimeterX, a leading voice in the world of application security, and a host of other voices from across the Infosec spectrum: Analysts, technical experts, members of the C-suite and professional bodies came together to discuss the emergence of shadow code, a new term to describe the use of third-party scripts in applications, without authorisation or safety validation. Our assembled influencers came ready to discuss this hidden world, and below is a snippet of the insights they provided. To take a look at the full results of the Tweet Chat, simply head to the IT Security Guru Twitter, or look under the hashtag #ShadowCode.
What is shadow code?
Q1: Have any of you heard the term #ShadowCode before? If yes, what do you understand it to mean?
— IT Security Guru (@IT_SecGuru) September 16, 2020
Our influencers seemed broadly aware of the term of shadow code and displayed an understanding of the term. The next challenge for those hoping to defend against the issues brought about by shadow code will be to encourage the term to go mainstream within technology circles, in the same way that ‘Shadow IT’ has become a term omnipresent in technology, developer and security circles.
Why should we care?
Q2: From a business and marketing perspective, why should companies be aware of the code that they host on their digital ecosystem? #ShadowCode
— IT Security Guru (@IT_SecGuru) September 16, 2020
Here, our influencers make the case for an understanding of shadow code across the business. Making the point that data breaches or compliance issues can lead to diminishing brand reputation, PerimeterX CMO Kim DeCarlis flew the flag for marketing professionals gaining an awareness of shadow code, and working with security and IT teams to ensure that code is reviewed and tools are implemented in order to protect the brand.
Jamie O’Meara, who heads up global partner solutions at Snyk also made the point that a businesses website is the access portal by which customers are found, dealt with and hopefully, retained – as good a reason as any to understand and be aware of the potential issues caused by shadow code.
The security implications
Q3: What are the consequences of not being aware of this from a security perspective? #ShadowCode
— IT Security Guru (@IT_SecGuru) September 16, 2020
Here we see a discussion of a much-forgotten element of the shadow code discussion: It does have some positives. Kim DeCarlis suggests that the agility that using Shadow Code can provide can be potentially helpful.
However, from an infosec perspective, we still see the negatives outweigh the positives. Quentyn Taylor, who heads up information security for Canon in Europe, makes the connection between shadow code and supply chain security, suggesting it is perceived as this it might escape the more rigorous auditing other areas of the business might be subjected to. Ameet Naik of PerimeterX summed the concerns up succinctly too, stating that “You cannot secure what you cannot see.”
Shadow Code and job function
Q4: How is #ShadowCode impacting different job functions such as #CISOs, #infosec teams and #DevOps teams?
— IT Security Guru (@IT_SecGuru) September 16, 2020
The influencers here wax lyrical on the subject of how different job functions are affected by shadow code. As the resident CISO in the room, Quentyn Taylor suggested that the impact is more stringently felt on the DevOps side, and that Shadow code presents both an opportunity and a risk or CISOs.
The RH-ISAC made the case for shadow code not always being as a result of malicious activity, stating something that a developer is simply on a deadline, and needs to finish the job fast, which in itself speaks to the skills gap in security and IT teams, and the far-reaching consequences.
Shadow code in the real world
Q5: Can you provide any examples of when #ShadowCode has had a negative effect on a company in the past?
— IT Security Guru (@IT_SecGuru) September 16, 2020
Bridging the gap between the infosec world and the real world, here we see our influencers discussing how this has impacted people in the real world! The infamous Magecart cybercrime syndicate was listed as a main example, with attacks aimed at Best Buy and Delta also referenced.
Who needs to be the most concerned?
Q6: What are the implications for specific industries such as #ecommerce, travel and #elearning? #ShadowCode
— IT Security Guru (@IT_SecGuru) September 16, 2020
Question 6 asked who has the most at risk from shadow code. With more mature security postures found in financial and healthcare organisations, e-learning is identified as one area which has a less mature security posture, but a staggering amount of PII in their digital ecosystems.
It’s worth hammering home the point however, as Kim DeCarlis did, that any business using shadow code to speed up their time to market is at risk.
Moving forward: How to mitigate
Q7: What is the best way for security teams to mitigate the effects of #ShadowCode?
— IT Security Guru (@IT_SecGuru) September 16, 2020
Here, the advice was as you might expect: Review, understand and monitor. RH-ISAC, PerimeterX’s Ameet Naik, and security analyst and author Richard Steinnon all recommended surveying and monitoring, as well as having increased visibility as ways to mitigate the risks associated with shadow code.
Are CSPs enough?
Q8: Some say content security policies (CSPs) are sufficient to address #ShadowCode. Is this accurate?
— IT Security Guru (@IT_SecGuru) September 16, 2020
In the most technical aspect of the chat, Quentyn, Richard and Ameet discussed content security policies, and whether they are enough to protect from shadow code, concluding fairly comprehensively that while a CSP is useful from an authorship and source perspective, it cannot tell what the code actually does: It is not a “set and forget” solution.
Shadow code and legislation
Q9: #ShadowCode has been responsible for many recent #Magecart attacks that incur GDPR and CCPA penalties. How much progress have we made towards achieving compliance with data privacy regulations?
— IT Security Guru (@IT_SecGuru) September 16, 2020
Discussing whether the recent legislative trend towards protecting consumer data, as encapsulated by the CCPA and GDPR legislations passed will have any effect on shadow code, our influencers agreed that the legislation is far too new for us to have a true impact. They also highlighted how some of the world’s biggest brands – Marriott Hotels, British Airways – thought they were compliant, but were sorely mistaken.
What will the future hold?
Q10: Where do you see the issue of #ShadowCode in 5-10 years?
— IT Security Guru (@IT_SecGuru) September 16, 2020
We saved the big question for last: What now? All of our influencers agreed that shadow code is not going anywhere, with carrying degrees of optimism: While Quentyn Taylor suggested that “This will be a issue that will get far worse before it gets better” due to the products that can’t be update, Richard Stiennon was more positive in his outlook, stating that signing code would be a great start.
Jamie O’Meara argued the natural proclivity for change and development in Application development will mean we are likely to see far more shadow code over the next decade, and Kim DeCarlis agreed that the desire for speed and agility in web development means that shadow code is absolutely not going anywhere soon!
To find out more about shadow code, and how your business can defend against it, please visit the resources on the PerimeterX website.
