PerimeterX released “Shadow Code: The Hidden Risk to Your Website,” the third annual survey conducted with Osterman Research on the use of Shadow Code in web applications.

Third-party scripts and open source libraries are typically used for ad tracking, payments, customer reviews, chatbots, tag management, social media integration or other helper libraries that simplify common functions. However, the unmanaged use of Shadow Code — scripts and libraries often added without approvals or ongoing security validation — introduces hidden risks into an organization, making it challenging to avoid the risk of a data breach, ensure data privacy and comply with various privacy regulations.

Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, N.J.-based automated threat modeling provider, says, “Vulnerable shadow code can be devastating in consequence, introducing vulnerabilities including remote-code execution in which an attacker may inject specially crafted requests to applications that are executed as code. This has the potential to reveal sensitive information residing in databases. Shadow code in the form of vulnerable open-source libraries and third-party code has the potential to open applications to attacks that could potentially reveal personally identifiable information of users. This goes far beyond names and addresses, of course, when we consider health apps. If this sort of private information is exposed, there is an onus on the organization to inform the relevant regulatory body which may have severe financial implications as well as reputational.”

Key findings include:

  • Nearly all websites contain third-party code. More than 99% of respondents reported that their website uses software supply chain vendors or partners for third-party code, who may themselves obtain code from their partners. Almost 80% said that these scripts account for 50-70% of the capability in a typical website.
  • Visibility into code changes is lacking. Website owners lack the visibility into third-party code to know for certain that their site is safe from cyberattacks. Nearly 50% of respondents could not definitively say their website had not been subject to a cyberattack.
  • There is a disconnect between belief and security practices. While respondents say they understand Shadow Code risks, only 25% perform a security review for every script modification, and only 33% can automatically detect potential problems.

Kevin Dunne, President at Pathlock, a Flemington, N.J.-based provider of unified access orchestration, says,  Shadow Code poses a few major risks to organizations:


  1. Risk that a third party can view data on the organization’s site
  2. Risk that a third party can access the organization’s site or network directly
  3. Risk that the Shadow Code may become unsupported and impact the functionality on the organization’s site

If the Shadow Code allows a third party to view data on an organization’s site unknowingly, it likely put the organization at risk of maintaining GDPR or CCPA compliance because an unknown data processor is viewing data without public disclosure. This can result in millions of dollars of potential fines for an organization required to maintain this type of data privacy compliance.

The report includes statistics on websites that use third-party codes and scripts, frequency of code updates, vulnerability and visibility levels, and the use of technology solutions to manage third-party script and open source vulnerabilities. Not surprisingly, more than half of respondents named brand damage, loss of corporate reputation, loss of future revenue and potential lawsuits as “huge” or “major” problems resulting from an attack.

Taylor Gulley, Senior Application Security Consultant at nVisium, a Falls Church, Va.-based application security provider, explains, “There are countless risks that Shadow Code poses to organizations, one being the potential for a full compromise of the application and the data within that application. In addition to technical risks, the reputational risks could be catastrophic if a vulnerability is introduced to your application due to an unvetted, third-party library. Regarding privacy, would you let just anyone walk into your workplace? By not properly auditing the code added to your application, you’re relying on the maintainers of that code to perform security checks on your behalf. This lack of control greatly increases your attack.”

The survey was conducted during May and June 2021 with a total of 501 organizations in the United States across various industries, including retail and e-commerce, financial services, travel and hospitality, media and entertainment, gaming and delivery services. All of the survey respondents were security professionals or developers who are familiar with the way that their organizations use of third-party scripts.

For more information, read the full report here.