‘Ghost Code’ Creates Risk for 99% of Websites


Ghost code, a third-party script and library that is often added to web applications without security validation, poses a risk to websites and compromises privacy regulations, according to a new study released Tuesday. to augment.

Third-party code makes organizations vulnerable to digital skimming and Magecart attacks.

Study conducted by Osterman Research for PerimeterXIt was found that over 50% of security professionals and developers surveyed believe that using third-party code in their applications is risky.

Investigators also noted growing concerns among respondents about cyber attacks on websites. Last year, 45% of those polled were seriously concerned that internet outposts could be targeted by hackers. This year, that number has jumped to 61%.

Concerns about supply chain attacks have also increased from 28% in 2020 to 50% in 2021. Anxiety about Magecart’s attacks has also increased significantly by 47% compared to last year. Magecart, or electronic skimming, is a form of fraud in which transaction data is intercepted when paying for the online store.

Balance between risk and effectiveness

Developers use third-party code for a variety of reasons.

“It’s good to go,” said Brian Uffelman, vice president of product marketing. PerimeterX, a web security service provider in San Mateo, California.

“If it’s there and it’s open source, there’s a false assumption it’s safe,” he told TechNewsWorld.

“They think the open source code they use, or the libraries they use, is safe,” he continued. “What we found is not.”

“Often they try to balance efficacy and risk,” he added.

Jonathan Tanner, Senior Security Researcher Barracuda networksLibrary, a security and storage solutions provider based in Campbell, Calif., Plays an important role in application development because it provides time-consuming and often potentially bug-prone functionality. I explained that there is. If it is developed internally, it will be abused.

“When it comes to development, there is a general saying that we are not reinventing the wheel, which not only saves development time, but also increases the complexity of the application,” he told TechNewsWorld. paddy field.

Peeling problem

Tanner added that even if vulnerabilities were discovered in the most popular libraries, in some cases third-party libraries could be more secure than code written by the internal development team.

“If even the most reputable library, which can be managed by hundreds of experts on the details of a library’s functionality, may be vulnerable, chances are you are not a functionality expert. Trying to create and maintain the same functionality internally in a small team of people would be potentially catastrophic, ”he observed.

“As a result, it is certainly very useful to use the existing libraries, not only from a time saving point of view, but also from a security point of view,” he said.

The development team wants the product to be released outside as soon as possible. Forrester Research..

“There are many third-party and open source components that allow us to add core functionality and focus on more sophisticated differentiating aspects of our products,” she told TechNewsWorld.

“The challenge is, if you don’t know what the third-party component is called, you can end up in a pile of issues,” she said.

“If modern businesses want to deliver functionality quickly and inexpensively, it will inevitably come at the expense of not being able to do something or a lot the right way. Added, Caitlin Johanson, director of the Application Security Center. of excellence to Call the fire, a cybersecurity consulting service provider in Westminster, Colorado.

“It’s easy to think that the speed at which new apps and features are delivered in a technology-dependent world can be achieved without omissions,” she told TechNewsWorld.

Dangerous business

Shadow code can present a myriad of risks to your organization. nVisiumAn application security provider based in Falls Church, Virginia.

“One is that the app and the data it contains can be completely compromised,” he told TechNewsWorld.

“In addition to technical risks, reputational risks can be catastrophic if an application introduces a vulnerability as a result of an unexamined third-party library,” he continued. ..

If you don’t have visibility into the open source code used by your organization, you can also run licensing risks.

“Open source components may have limited licenses” ForresterCalieri explained.

“Suddenly I added a component to my code that needed to open the source code for the whole application,” she continued. “All proprietary code must be open source, which puts the organization at risk.”

Largely used

Osterman researchers also found that the use of third-party code is widespread on the Internet. Almost all of the survey respondents (99%) said their website uses at least one third-party script.

Even more evident is the finding that 80% of respondents say third-party scripts make up 50-70% of their websites.

“There isn’t a lot of formal research on the propagation of ghost code, but because JavaScript is widely used on most websites and there are so many JavaScript libraries available, ghost code is very popular. It’s possible, ”says Kevin Dunne. Pass the lock, Flemington, NJ, Integrated Access Orchestration Provider

“There are over a million known open source JavaScript projects on GitHub, which presents an insurmountable challenge for security teams to manually review and evaluate,” he told TechNewsWorld.

If a shadow code allows a third party to unknowingly view data on your organization’s site, your organization remains GDPR or CCPA compliant because an unknown data processor is viewing the data privately. He added that he probably risked doing it.

“It could impose millions of dollars on the organizations needed to maintain this kind of data privacy compliance,” he explained.

Ghost code is arguably a growing problem, one that many are unaware of, added Christian Simco, director of product marketing. GrammaTech, an application security testing solutions provider headquartered in Bethesda, Maryland.

“Custom code is decreasing and the use of third-party code is increasing,” he told TechNewsWorld. “If you don’t manage your code base properly, you can inadvertently inject vulnerabilities into your software. “

‘Ghost Code’ Creates Risk for 99% of Websites Source link ‘Ghost Code’ Creates Risk for 99% of Websites

Source link


Leave A Reply