Is Shadow Code a hidden threat to your software ?

January 2024

Web development is marked by constant evolution, driven by the soaring demand for websites and web applications due to digital transformation and increased reliance on online services. Traditionally, crafting custom code for every website component was time-consuming and demanded deep programming knowledge. With the internet’s growing popularity, developers faced pressure to speed up development without sacrificing quality. This need for speed led to the adoption of third-party scripts and open-source libraries, offering cost-effective shortcuts for enhancing website functionality, from interactive maps to e-commerce payment gateways. 

Amid this pursuit of speed and efficiency, a phenomenon known as Shadow Code quietly crept into the world of web development. Shadow Code represents any piece of code that finds its way into an application without undergoing the proper channels of scrutiny and approval by the security team and IT department. 

The term Shadow Code draws parallels with the concept of Shadow IT, which refers to the unauthorized use of IT software, services, and devices within an organization. Just as Shadow IT can introduce unapproved tools and technologies into the workplace, Shadow Code introduces unapproved code into applications. 

In the context of web development, Shadow Code often arises from the desire to expedite development. Developers come across useful code snippets, libraries, or scripts online, sometimes on platforms like GitHub, that can accelerate a specific process or enhance a website’s functionality. In their quest to meet tight deadlines, developers may choose to incorporate these code fragments directly into their applications, bypassing the traditional review and approval process. 

This practice may lead to efficiency gains in the short term, but it is not without its risks. Shadow Code introduces a layer of complexity and uncertainty into the development process. It exposes applications to potential vulnerabilities and security threats, making it challenging for businesses to ensure data security, privacy, and compliance with regulations like PCI DSS (Payment Card Industry Data Security Standard) and the GDPR (General Data Protection Regulation). 

As organizations continue to modernize their operations and strive for rapid innovation, understanding and managing Shadow Code should become one of the top priorities in the context of web development.  

  • What are the causes and implications of Shadow Code in web applications? 

The presence of shadow code in web applications can be attributed to their reliance on open-source libraries and third-party code as a means to expedite innovation and adapt to evolving business demands. It’s worth noting that approximately 70% of scripts found on a typical website originate from third-party sources, creating an avenue for the infiltration of shadow code. 

A prevailing trend in modern web and mobile applications involves shifting a significant portion of application logic to the client side, thereby enhancing performance and improving user experiences. This shift results in a substantial portion of the application’s code executing on users’ browsers and mobile devices through client-side JavaScript code. 

Consequently, a substantial portion of a website’s code is externally sourced and does not execute on the server. Without the implementation of adequate security measures, this exposes vulnerabilities that malicious actors can exploit through script-based attacks, ultimately jeopardizing sensitive user data. 

Examples of Shadow Code in the cyber threat context include techniques such as obfuscated JavaScript, hidden iframes, steganography in images, dynamic loading of external scripts and camouflaged code within third-party plugins. These methods are used by cybercriminals to conceal malicious intent and execute attacks covertly. 

Shadow code can manifest in various script locations, including within an internal repository, in legitimate open-source libraries, in code loaded by vendors without organizational awareness, in code injected by malicious threat actors (as seen in digital skimming incidents), and within third-party plugins developed for content management systems. 

Challenges associated with shadow code encompass vulnerabilities, where even skilled code developers may inadvertently introduce security flaws. There’s the risk of malicious intent, as threat actors may intentionally insert harmful code into repositories, hoping that organizations will unknowingly adopt it. Compatibility issues can arise when legitimate code is incompatible with other applications or systems, introducing vulnerabilities and the potential for attacks on interconnected systems. 

📊 What are the primary risks associated with Shadow Code? 

Unapproved code infiltrating an application introduces vulnerabilities exploited by attackers, leading to various attacks like SQL injection, cross-site scripting (XSS), and code execution attacks. 

Shadow Code may contain hidden functionality, facilitating unauthorized extraction and transmission of sensitive data, including user credentials, financial information, or proprietary business data, resulting in data breaches and reputational damage. 

Scripts within Shadow Code serve as vehicles for attacks on web applications, encompassing automated login attempts, scraping sensitive data, or manipulation of user sessions, posing significant security risks. 

The integration of third-party scripts into web pages plays a pivotal role in the presence of Shadow Code. When a web page calls upon a third-party script, it directly loads into the user’s browser from a remote server, bypassing general security controls such as firewalls and network monitoring tools. If one of these third-party scripts has been compromised by a malicious actor, it can contain embedded Shadow Code. These third-party scripts may include open-source software that has not undergone rigorous testing or may originate from another layer of the organization where malicious code resides. 

These risks associated with third-party scripts and Shadow Code in the digital supply chain can have severe consequences, including data breaches, fraudulent activities, compliance violations, reputational damage, and significant financial penalties.  

  • How is Shadow Code implemented in cyberattacks? 

Shadow code silently exfiltrates sensitive data, including customer information, financial data, and intellectual property, which can be sold on the dark web or used for further attacks. 

Shadow code steals login credentials, such as usernames and passwords, for unauthorized access and misuse, including identity theft and fraud. 

Shadow code acts as a gateway for delivering malware, infecting unsuspecting visitors with ransomware, keyloggers, or other malicious software, leading to data breaches and system compromise. 

Cybercriminals use shadow code to conduct man-in-the-middle attacks, intercepting sensitive communications, such as financial transactions or login sessions, potentially resulting in unauthorized access or data theft. 

Shadow code exploits zero-day vulnerabilities, previously unknown vulnerabilities in software or web applications, to infiltrate systems, disrupt operations, or steal data without the organization’s awareness. 

📊 Let’s examine some consequences of Shadow Code, illustrating the risks discussed earlier with practical examples. 

Magecart attacks have emerged as a direct outcome of Shadow Code hidden within web applications. These attacks involve the injection of malicious JavaScript code into legitimate websites, often via unapproved third-party scripts. Once executed on the client-side, this code collects sensitive personal information from users, such as credit card details, as they enter data into a site. The stealthy nature of JavaScript execution makes it difficult to detect, putting users’ data at risk and tarnishing a business’s reputation. 

Digital skimming attacks, also known as formjacking, rely on Shadow Code to steal payment card information during online transactions. Cybercriminals insert code into an e-commerce website, intercepting payment data entered by customers. This information is then exfiltrated to attackers, leading to fraudulent transactions, financial losses, and legal consequences for the affected businesses. 

Shadow Code can enable unauthorized data access, leading to breaches of sensitive information. In a notable incident, unapproved code within a web application allowed attackers to gain access to a company’s customer database. Personal information, including names, addresses, and contact details, was compromised, resulting in regulatory fines and reputational damage. 

  • Ten Signs of Shadow Code Risk 

In our extensive research, we have meticulously identified common patterns that serve as warning signals for potential Shadow Code risks lurking in your web applications. Here are ten specific indicators that your web applications may be susceptible to Shadow Code-related threats: 

  1. Incomplete Third-Party Inventory 

If you lack a comprehensive inventory of the third-party code running within your applications, you might be oblivious to potential security vulnerabilities introduced by unvetted elements. 

  1. High-Velocity Deployments 

Frequent code deployments demand more frequent security reviews. If your development pace is rapid, annual or semi-annual security assessments may not suffice. 

  1. Misconfigured Website Security Controls 

Inadequately configured Content Security Policies (CSPs) leave your application vulnerable to unauthorized actions, including data exfiltration. Properly configuring CSPs is an essential step in safeguarding against Shadow Code risks. 

  1. Insecure Third-Party JavaScript Libraries 

 Your application’s security is intertwined with the security of your third-party code sources. Ensure your suppliers meet basic security criteria, including responsiveness to security inquiries and a published security policy. 

  1. Lack of Formal Review for Open Source Libraries 

Open-source JavaScript libraries, though widely used, should undergo a formal review and approval process. Blindly integrating them can introduce unforeseen vulnerabilities. 

  1. Absence of Stringent Version Control 

Neglecting version control can result in outdated libraries and known vulnerabilities. Establish rigorous version control practices, incorporating security reviews and QA testing. 

  1. Insufficient Runtime Behavior Analysis 

Relying solely on staging environments for testing may not catch client-side vulnerabilities. Employ modern machine learning-based technologies to monitor and identify anomalous behaviors at runtime. 

  1. Unresponsive Third-Party Suppliers 

Third-party suppliers should have responsive security contacts, as well as a history of issuing regular security updates. 

  1. Inadequate Monitoring of Open Source Projects 

Open-source projects with numerous contributors may introduce inadvertent or malicious Shadow Code. Vigilant monitoring is essential. 

  1. Lack of Secure DevOps Practices 

 Implementing a modern, proactive approach to DevOps and security is paramount in mastering Shadow Code. This ensures enhanced application security without impeding development progress. 

  • Techniques for detecting Shadow Code 

Detecting Shadow Code is essential to mitigate its risks effectively. Several techniques can be employed for identification. 

A proactive and effective technique to detect Shadow Code is to adopt a “Secure by Design” approach. This methodology ingrains security measures throughout the entire software development lifecycle, from the initial design phase to deployment. 

Regular code review and analysis can uncover unauthorized code snippets or libraries within an application. Developers and security teams should scrutinize code changes for unapproved additions. 

Implementing behavioral anomaly detection tools can help identify unexpected behaviors or activities in an application that may indicate the presence of Shadow Code. 

Continuous monitoring of web applications can reveal any unapproved changes or unexpected activities, enabling prompt action. 

Establish a formal process for reviewing, approving, and integrating third-party scripts and code. This process should involve the security team and ensure compliance with security standards. 

Maintain an inventory of all third-party scripts and code used in your applications. This inventory should include details on the source, purpose, and approval status of each script. 

Implement a mechanism to notify the security team whenever a new script is added to the application. This notification ensures that the security team can assess the code’s security implications promptly. 

  • Mitigating Shadow Code risks 

HTTP Content-Security-Policy (CSP) headers play a crucial role in mitigating Shadow Code risks. These headers define which data sources are allowed by a web application, effectively restricting the execution of unapproved scripts. Implementing CSP headers involves specifying appropriate directives in the HTTP response header to define the security policy. 

Code validation and sanitization processes are essential for identifying and neutralizing malicious code within an application. These processes involve inspecting and validating incoming code to ensure it adheres to security standards and removing any potentially harmful elements. 

Strengthening input validation mechanisms is critical in preventing code injection attacks. Input validation should be stringent, checking user inputs for any potentially dangerous characters or scripts and rejecting them if found. 

Regular security testing and vulnerability scanning are vital components of Shadow Code mitigation. Conducting comprehensive security tests, including penetration testing and code reviews, can uncover vulnerabilities introduced by Shadow Code. 

Client-side protection solutions are dedicated tools and services designed to provide visibility into third-party scripts and actively protect against Shadow Code. These solutions offer features such as continuous discovery and monitoring, script approval and blocking, and even AI-powered code review. 

Continuous discovery and monitoring tools help identify new scripts added to applications. They provide alerts when unapproved scripts are detected, enabling timely action to assess and address potential risks. 

Client-side protection solutions enable organizations to approve and block scripts from executing within web applications. This granular control ensures that only trusted scripts are allowed to run, reducing the risk of Shadow Code. 

Advanced client-side protection solutions incorporate AI capabilities that can automatically review code and provide insights into its functionality. This includes the ability to explain what the code does, saving valuable time for security teams. 

  • Compliance and Shadow Code 

Payment Card Industry Data Security Standard (PCI DSS) places significant emphasis on application security. As it relates to Shadow Code, PCI DSS addresses the risks associated with scripts loaded and executed on payment pages. It highlights the potential for malicious script execution and data exfiltration and provides specific requirements on how scripts on payment pages should be managed. 

Compliance with PCI DSS necessitates implementing measures to mitigate risks associated with Shadow Code on payment pages. This includes rigorous script validation, content security policies, and continuous monitoring to ensure the integrity of payment processes. 

Data privacy regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD), impose strict data protection and privacy requirements on digital businesses. Shadow Code introduces challenges in ensuring compliance with these regulations. 

GDPR, CCPA, and LGPD outline specific requirements for safeguarding individuals’ privacy and control over their data in digital environments. Shadow Code can complicate compliance efforts, as unapproved code may lead to data breaches and privacy violations. 

  • The future of Shadow Code 

It is an ongoing battle: Cybersecurity vs. Shadow Code. The battle between cybersecurity and Shadow Code is expected to persist as long as the need for rapid development exists. Organizations must continuously adapt their security measures to counter the risks associated with Shadow Code. 

As Shadow Code evolves, so do the threats it poses. New attack vectors and techniques may emerge, requiring innovative countermeasures. Security teams must stay vigilant and proactive in identifying and mitigating these evolving threats. 

AI and machine learning are poised to play a significant role in addressing Shadow Code risks. These technologies can aid in the automated detection of suspicious code, behavioral analysis, and even code review. Leveraging AI and machine learning can enhance an organization’s ability to identify and respond to Shadow Code effectively. 

  • Guidelines and recommendations for a Shadow Code-resilient environment 

Developers’ best practices 

Conduct thorough code reviews to ensure that all code, including third-party scripts, adheres to secure coding standards. Implement code validation to identify and mitigate potential Shadow Code vulnerabilities. 

Validate all user inputs to prevent injection attacks like SQL injection and cross-site scripting (XSS). Sanitize and validate data before processing it to eliminate potential threats. 

Incorporate secure coding standards and practices into your development process, emphasizing a “Secure by Design” approach. Prioritize input validation to validate and sanitize user inputs effectively. Ensure that all data entering your application is verified for legitimacy and safety. 

Implement robust output encoding techniques to prevent cross-site scripting (XSS) vulnerabilities. Encode all output data to safeguard against malicious script injection. 

Apply the principle of least privilege rigorously. Limit access and permissions to the minimum required for each component or user role within your application. This reduces the attack surface and potential damage in case of infiltration. 

Stay updated on security best practices and avoid using deprecated or insecure functions and libraries. Regularly review your codebase to replace any risky elements with secure alternatives. 

Regularly update and patch third-party libraries and scripts to mitigate known vulnerabilities. Be cautious when integrating third-party code, and prefer well-established and reputable sources. 

Integrate security testing into your development lifecycle. Utilize tools like static analysis, dynamic analysis, and penetration testing to identify and remediate vulnerabilities in your code. 

Security team best practices 

Implement continuous monitoring solutions that can detect anomalies and suspicious activities within your application’s code. Utilize intrusion detection systems and log analysis tools to spot potential Shadow Code intrusions. 

Develop a comprehensive incident response plan specifically tailored to address Shadow Code-related threats. Ensure that your team is well-prepared to respond promptly and effectively to any security incidents. 

Stay informed about emerging threats and vulnerabilities related to Shadow Code. Subscribe to threat intelligence feeds and collaborate with cybersecurity communities to share information and best practices. 

Conduct regular audits of third-party scripts and libraries integrated into your applications. Verify their integrity and security to prevent Shadow Code infiltration. 

Perform penetration testing on your applications to simulate real-world attacks and identify vulnerabilities, including those related to Shadow Code. 

  • Call to action 

It’s time to act and make Shadow Code awareness a fundamental aspect of your development approach. Developers must take responsibility for code security by proactively identifying and mitigating Shadow Code risks. Ensure that security is ingrained in every phase of development, and promote a culture of ongoing learning to stay ahead of emerging threats. Protect your digital assets by taking immediate action against the hidden dangers of Shadow Code. 

To address the looming threat of Shadow Code effectively, consider embracing the “Secure by Design” approach. By integrating security into every aspect of your development process, you can prevent the infiltration of malicious code. For more information and guidance on implementing Secure by Design practices, don’t hesitate to reach out to Les Oies du Cyber, your trusted partner in cybersecurity. 



Tech Target, 6 dangers of shadow IT and how to avoid them

Microsoft, Shining a light on how Microsoft manages Shadow IT

TechStrong, The rise of Shadow AI

ThirdPartyTrust, Building a Shadow IT Policy: What CEOs, CTOs, and CISOs Need to Know

McKinsey Digital, Low-code/no-code: A way to transform shadow IT into a next-gen technology asset

MIT Technology Review, Low-code and no-code: A marked movement for digital platform development

Request a phone appointment