<p>Many enterprises have a lurking threat embedded deep in their systems, and the risks to privacy and cybersecurity can be grave: shadow code.</p>
<p>Shadow code is any code — libraries, scripts, APIs, and web browser plugins and extensions — that an organization runs in web browsers without first performing standard security checks. It includes all first-party and third-party code that hasn’t had its security confirmed, as well as any unverified code that it calls. In other words, shadow code is all the code that an organization relies upon for its web applications without being aware of its associated risk and, therefore, is not able to properly manage that risk.</p>
<p>Shadow code is often deployed when developers and other personnel want to save time and meet deadlines. Instead of writing code themselves, they might find existing code to reuse. While the practice can save time, it can be perilous if the security of that code isn’t first assessed. Shadow code can also occur when a <a href=”https://www.techtarget.com/searchsecurity/tip/Insider-threat-hunting-best-practices-and-tools”>disgruntled employee</a> or other malicious actor intentionally injects malware or other unauthorized functionality into an organization’s software.</p>
<p>CISOs and other security leaders should clearly understand the risks shadow code can pose and how to identify, manage and prevent shadow code use in their enterprises.</p>
<section class=”section main-article-chapter” data-menu-title=”The risks of shadow code”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The risks of shadow code</h2>
<p>Consider the following cybersecurity and privacy risks inherent when using shadow code:</p>
<ul class=”default-list”>
<li>The code might contain unmitigated <a href=”https://www.techtarget.com/searchsecurity/tip/Top-web-app-security-vulnerabilities-and-how-to-mitigate-them”>coding vulnerabilities</a>, misconfigurations, design flaws or other problems that could negatively impact systems.</li>
<li>Embedded malicious code could perform <a href=”https://www.techtarget.com/searchsecurity/tip/Common-browser-attacks-and-how-to-prevent-them”>client-side attacks</a> via web browsers.</li>
<li>Shadow code often violates cybersecurity and <a href=”https://www.techtarget.com/searchcio/news/366623115/Policymakers-look-to-state-laws-for-federal-data-privacy-law”>privacy laws</a>, regulations and other organizational policies.</li>
<li>The code could violate <a href=”https://www.techtarget.com/searchcio/definition/software-license”>software licensing terms</a> or subject an organization to unanticipated terms.</li>
</ul>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to identify shadow code”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to identify shadow code</h2>
<p>Because shadow code executes within web browsers, identification should focus largely on the client side, not the server side. Many tools can monitor the code executing in web browsers, including application security monitoring and browser tools. CISOs should mandate the use of these tools and closely monitor their logs and alerts to rapidly identify the use of shadow code.</p>
<p>Organizations should create and maintain an up-to-date inventory of all the code it uses, including first-party and third-party code and code services. Compare this inventory to detected code to improve the accuracy of shadow code detection. Constantly monitor approved code, both in operational environments and in code repositories, to identify any calls to shadow code and to detect any changes to code that could indicate new uses of shadow code.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to manage and prevent shadow code”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to manage and prevent shadow code</h2>
<p>Managing and preventing shadow code requires a combination of methods, including the following:</p>
<ul class=”default-list”>
<li>Ensure developers and other personnel, contractors and vendors involved in web application development are aware of shadow code risks and train teams on the procedures to properly assess all code.</li>
<li>Make it easy and quick for developers and others to request use of safe third-party code.</li>
<li>Set automatic triggers for a cybersecurity assessment process when new third-party code is detected within the enterprise.</li>
<li>Have automated tools and processes in place to regularly review the security of all code, with trained personnel reviewi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: