Shadow Code 101: A Quick Look at the Risks

    By Vitaliy Lim

    By Vitaliy Lim

    Coders along with their larger software development teams are under a  tremendous amount of pressure to create vast amounts of code under strict deadlines. To expedite the process, it is common practice for front-end developers to turn to vast code repositories and JavaScript libraries rather than building every line of code from scratch.

    Code repositories, especially the large ones, are so popular that they are commonly used by the majority of business websites worldwide. There are risks to code libraries, though:  they can contain a danger known in the client-side security space as “shadow code.”

    What is shadow code?

    Shadow code originates from shadow IT, an unapproved IT software or service that is used or downloaded by employees to innocently assist with operations but is done so without first obtaining the consent of the usual internal IT teams or management. Similarly, shadow code means the unauthorized use of code that comes from either homegrown or external sources to help with software and application development.

    Shadow code is not necessarily malicious. For example, developers may reuse pre-written code from another application or an in-house library. Code may also be available in an external repository like GitHub. The source of the shadow code is not the problem, rather it is the fact that the code itself is being used without approvals—and most importantly—without the confirmation that it is in fact safe, compliant, and can operate without introducing risk.

    Code can never be perfect

    There is no such thing as perfect code. Humans create code, and therefore, it can not be perfect. Mistakes happen, and threat actors are constantly on the lookout for those mistakes and vulnerabilities. These introduce the risk of a security breach. Thus, the risk of vulnerabilities increases with the addition of shadow code.

    One tactic used by threat actors is to build malicious code and then inject it directly into the JavaScript on a web application. Cyber criminals will also deliberately insert malicious code into applications housed in external open-source repositories with the hope that developers will download it. These attacks may also come from within when an insider introduces compromised code into a first-party script. Either way, once malicious code exists on a website, it allows cyberattacks to occur.

    The Hidden Dangers of External Code Libraries

    When new applications need to be built or a new website feature needs to be introduced, code repositories help developers get the job done quickly. So, rather than writing the functionality completely from scratch, the developer, under tight deadlines, will use pre-existing code from external sources to build out the new functionality. However, code that is not vetted to ensure it is safe or compatible with other connected applications can actually create vulnerabilities.

    Take, for example, a website chat tool. These types of tools are readily available in open-source libraries. However, people do not realize that something as seemingly benign as a chat tool can wreak havoc on a retail website that takes in thousands if not millions of payment cards.

    Consider this scenario: the marketing and sales team want to improve the customer interaction experience on the website, so they reach out to the development team and ask that a chat tool be added to the payment page—a place where customers frequently have questions about their purchase. A developer gets code for a chat tool from an online repository like GitHub. However, unbeknownst to the developer, a threat actor has installed malicious code in the application. The developer doesn’t know this and installs the chat bot on the online payments page as a feature enhancement for customers. Malicious code has now been embedded on the payment page that enables a threat actor to connect to the customer payment system and steal the customer’s payment information.

    The result of this e-skimming attack is most often a substantial data breach incident and credit card fraud. And it eventually leads to company and product distrust by customers who have had their personal and financial information stolen.

    Even if shadow code contains no intentionally malicious script, it still introduces various problems such as vulnerabilities that leave websites susceptible to Magecart or other types of e-skimming. Shadow code threatens the security of valuable corporate and customer data. It can damage your reputation or even result in fines.

    Because shadow code is deployed without approval or authorization, it can be found virtually anywhere scripts are used, making it that much more important for IT and security teams to take an ever more cautious and proactive approach to securing third-party tools in order to minimize vulnerabilities and reduce the chances of an attack. It is yet another opportunity for cybersecurity professionals to show their C-level team that their efforts serve as a differentiator for their organization.

    Protect your business and your customers from shadow code

    Coders and software development teams require a high level of vigilance in order to avoid the negative impacts of shadow code. Customers are protected from the vulnerabilities of shadow code when an organization expands its security perimeter beyond the server side by also monitoring and mitigating threats on the client side. In order to stay ahead of the game and provide trusted services to your customers, it is imperative you know the tactics—like shadow code—used by threat actors and how best to respond and prevent future attacks and protect your greatest asset, your customers.

    Vitaliy Lim currently is Chief Technology Officer and Co-Founder at Feroot Security (


    No posts to display