Tweet Chat: Exploring the hidden world of Shadow Code

In the latest IT Security Guru Tweet chat, we were joined by PerimeterX, a leading voice in the world of application security, and a host of other voices from across the Infosec spectrum: Analysts, technical experts, members of the C-suite and professional bodies came together to discuss the emergence of shadow code, a new term to describe the use of third-party scripts in applications, without authorisation or safety validation. Our assembled influencers came ready to discuss this hidden world, and below is a snippet of the insights they provided. To take a look at the full results of the Tweet Chat, simply head to the IT Security Guru Twitter, or look under the hashtag #ShadowCode

What is shadow code?

Our influencers seemed broadly aware of the term of shadow code and displayed an understanding of the term. The next challenge for those hoping to defend against the issues brought about by shadow code will be to encourage the term to go mainstream within technology circles, in the same way that ‘Shadow IT’ has become a term omnipresent in technology, developer and security circles. 

Why should we care?

Here, our influencers make the case for an understanding of shadow code across the business. Making the point that data breaches or compliance issues can lead to diminishing brand reputation, PerimeterX CMO Kim DeCarlis flew the flag for marketing professionals gaining an awareness of shadow code, and working with security and IT teams to ensure that code is reviewed and tools are implemented in order to protect the brand. 

Jamie O’Meara, who heads up global partner solutions at Snyk also made the point that a businesses website is the access portal by which customers are found, dealt with and hopefully, retained – as good a reason as any to understand and be aware of the potential issues caused by shadow code. 

The security implications

Here we see a discussion of a much-forgotten element of the shadow code discussion: It does have some positives. Kim DeCarlis suggests that the agility that using Shadow Code can provide can be potentially helpful. 

However, from an infosec perspective, we still see the negatives outweigh the positives. Quentyn Taylor, who heads up information security for Canon in Europe, makes the connection between shadow code and supply chain security, suggesting it is perceived as this it might escape the more rigorous auditing other areas of the business might be subjected to. Ameet Naik of PerimeterX summed the concerns up succinctly too, stating that “You cannot secure what you cannot see.”

Shadow Code and job function

The influencers here wax lyrical on the subject of how different job functions are affected by shadow code. As the resident CISO in the room, Quentyn Taylor suggested that the impact is more stringently felt on the DevOps side, and that Shadow code presents both an opportunity and a risk or CISOs. 

The RH-ISAC made the case for shadow code not always being as a result of malicious activity, stating something that a developer is simply on a deadline, and needs to finish the job fast, which in itself speaks to the skills gap in security and IT teams, and the far-reaching consequences. 

Shadow code in the real world

Bridging the gap between the infosec world and the real world, here we see our influencers discussing how this has impacted people in the real world! The infamous Magecart cybercrime syndicate was listed as a main example, with attacks aimed at Best Buy and Delta also referenced. 

Who needs to be the most concerned?

Question 6 asked who has the most at risk from shadow code. With more mature security postures found in financial and healthcare organisations, e-learning is identified as one area which has a less mature security posture, but a staggering amount of PII in their digital ecosystems. 

It’s worth hammering home the point however, as Kim DeCarlis did, that any business using shadow code to speed up their time to market is at risk. 

Moving forward: How to mitigate 

Here, the advice was as you might expect: Review, understand and monitor. RH-ISAC, PerimeterX’s Ameet Naik, and security analyst and author Richard Steinnon all recommended surveying and monitoring, as well as having increased visibility as ways to mitigate the risks associated with shadow code. 

Are CSPs enough?

In the most technical aspect of the chat, Quentyn, Richard and Ameet discussed content security policies, and whether they are enough to protect from shadow code, concluding fairly comprehensively that while a CSP is useful from an authorship and source perspective, it cannot tell what the code actually does: It is not a “set and forget” solution.

Shadow code and legislation

Discussing whether the recent legislative trend towards protecting consumer data, as encapsulated by the CCPA and GDPR legislations passed will have any effect on shadow code, our influencers agreed that the legislation is far too new for us to have a true impact. They also highlighted how some of the world’s biggest brands – Marriott Hotels, British Airways – thought they were compliant, but were sorely mistaken. 

What will the future hold?

We saved the big question for last: What now? All of our influencers agreed that shadow code is not going anywhere, with carrying degrees of optimism: While Quentyn Taylor suggested that “This will be a issue that will get far worse before it gets better” due to the products that can’t be update, Richard Stiennon was more positive in his outlook, stating that signing code would be a great start. 

Jamie O’Meara argued the natural proclivity for change and development in Application development will mean we are likely to see far more shadow code over the next decade, and Kim DeCarlis agreed that the desire for speed and agility in web development means that shadow code is absolutely not going anywhere soon! 

To find out more about shadow code, and how your business can defend against it, please visit the resources on the PerimeterX website.



The post Tweet Chat: Exploring the hidden world of Shadow Code appeared first on IT Security Guru.