Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 1 October, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Tweet Chat: Exploring the hidden world of Shadow Code

PerimeterX and the IT Security Guru's exploration of shadow code shows we have a long way to go to understanding this murky world

by Guru's
September 21, 2020
in Features, Insight, This Week's Gurus, TweetChat
Tweet Chat: Exploring the hidden world of Shadow Code
Share on FacebookShare on Twitter

In the latest IT Security Guru Tweet chat, we were joined by PerimeterX, a leading voice in the world of application security, and a host of other voices from across the Infosec spectrum: Analysts, technical experts, members of the C-suite and professional bodies came together to discuss the emergence of shadow code, a new term to describe the use of third-party scripts in applications, without authorisation or safety validation. Our assembled influencers came ready to discuss this hidden world, and below is a snippet of the insights they provided. To take a look at the full results of the Tweet Chat, simply head to the IT Security Guru Twitter, or look under the hashtag #ShadowCode. 

What is shadow code?

Q1: Have any of you heard the term #ShadowCode before? If yes, what do you understand it to mean?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Our influencers seemed broadly aware of the term of shadow code and displayed an understanding of the term. The next challenge for those hoping to defend against the issues brought about by shadow code will be to encourage the term to go mainstream within technology circles, in the same way that ‘Shadow IT’ has become a term omnipresent in technology, developer and security circles. 

Why should we care?

Q2: From a business and marketing perspective, why should companies be aware of the code that they host on their digital ecosystem? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, our influencers make the case for an understanding of shadow code across the business. Making the point that data breaches or compliance issues can lead to diminishing brand reputation, PerimeterX CMO Kim DeCarlis flew the flag for marketing professionals gaining an awareness of shadow code, and working with security and IT teams to ensure that code is reviewed and tools are implemented in order to protect the brand. 

Jamie O’Meara, who heads up global partner solutions at Snyk also made the point that a businesses website is the access portal by which customers are found, dealt with and hopefully, retained – as good a reason as any to understand and be aware of the potential issues caused by shadow code. 

The security implications

Q3: What are the consequences of not being aware of this from a security perspective? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here we see a discussion of a much-forgotten element of the shadow code discussion: It does have some positives. Kim DeCarlis suggests that the agility that using Shadow Code can provide can be potentially helpful. 

However, from an infosec perspective, we still see the negatives outweigh the positives. Quentyn Taylor, who heads up information security for Canon in Europe, makes the connection between shadow code and supply chain security, suggesting it is perceived as this it might escape the more rigorous auditing other areas of the business might be subjected to. Ameet Naik of PerimeterX summed the concerns up succinctly too, stating that “You cannot secure what you cannot see.”

Shadow Code and job function

Q4: How is #ShadowCode impacting different job functions such as #CISOs, #infosec teams and #DevOps teams?

— IT Security Guru (@IT_SecGuru) September 16, 2020

The influencers here wax lyrical on the subject of how different job functions are affected by shadow code. As the resident CISO in the room, Quentyn Taylor suggested that the impact is more stringently felt on the DevOps side, and that Shadow code presents both an opportunity and a risk or CISOs. 

The RH-ISAC made the case for shadow code not always being as a result of malicious activity, stating something that a developer is simply on a deadline, and needs to finish the job fast, which in itself speaks to the skills gap in security and IT teams, and the far-reaching consequences. 

Shadow code in the real world

Q5: Can you provide any examples of when #ShadowCode has had a negative effect on a company in the past?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Bridging the gap between the infosec world and the real world, here we see our influencers discussing how this has impacted people in the real world! The infamous Magecart cybercrime syndicate was listed as a main example, with attacks aimed at Best Buy and Delta also referenced. 

Who needs to be the most concerned?

Q6: What are the implications for specific industries such as #ecommerce, travel and #elearning? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Question 6 asked who has the most at risk from shadow code. With more mature security postures found in financial and healthcare organisations, e-learning is identified as one area which has a less mature security posture, but a staggering amount of PII in their digital ecosystems. 

It’s worth hammering home the point however, as Kim DeCarlis did, that any business using shadow code to speed up their time to market is at risk. 

Moving forward: How to mitigate 

Q7: What is the best way for security teams to mitigate the effects of #ShadowCode?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, the advice was as you might expect: Review, understand and monitor. RH-ISAC, PerimeterX’s Ameet Naik, and security analyst and author Richard Steinnon all recommended surveying and monitoring, as well as having increased visibility as ways to mitigate the risks associated with shadow code. 

Are CSPs enough?

Q8: Some say content security policies (CSPs) are sufficient to address #ShadowCode. Is this accurate?

— IT Security Guru (@IT_SecGuru) September 16, 2020

In the most technical aspect of the chat, Quentyn, Richard and Ameet discussed content security policies, and whether they are enough to protect from shadow code, concluding fairly comprehensively that while a CSP is useful from an authorship and source perspective, it cannot tell what the code actually does: It is not a “set and forget” solution.

Shadow code and legislation

Q9: #ShadowCode has been responsible for many recent #Magecart attacks that incur GDPR and CCPA penalties. How much progress have we made towards achieving compliance with data privacy regulations?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Discussing whether the recent legislative trend towards protecting consumer data, as encapsulated by the CCPA and GDPR legislations passed will have any effect on shadow code, our influencers agreed that the legislation is far too new for us to have a true impact. They also highlighted how some of the world’s biggest brands – Marriott Hotels, British Airways – thought they were compliant, but were sorely mistaken. 

What will the future hold?

Q10: Where do you see the issue of #ShadowCode in 5-10 years?

— IT Security Guru (@IT_SecGuru) September 16, 2020

We saved the big question for last: What now? All of our influencers agreed that shadow code is not going anywhere, with carrying degrees of optimism: While Quentyn Taylor suggested that “This will be a issue that will get far worse before it gets better” due to the products that can’t be update, Richard Stiennon was more positive in his outlook, stating that signing code would be a great start. 

Jamie O’Meara argued the natural proclivity for change and development in Application development will mean we are likely to see far more shadow code over the next decade, and Kim DeCarlis agreed that the desire for speed and agility in web development means that shadow code is absolutely not going anywhere soon! 

To find out more about shadow code, and how your business can defend against it, please visit the resources on the PerimeterX website.

 

 

FacebookTweetLinkedIn
ShareTweet
Previous Post

Head of NCSC steps down

Next Post

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol

Recent News

Guide to ransomware and how to detect it

Guide to ransomware and how to detect it

September 28, 2023
software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information