Shadow code: The hidden threat for enterprise IT

The risks of shadow code

Consider the following cybersecurity and privacy risks inherent when using shadow code:

• The code might contain unmitigated coding vulnerabilities, misconfigurations, design flaws or other problems that could negatively impact systems.
• Embedded malicious code could perform client-side attacks via web browsers.
• Shadow code often violates cybersecurity and privacy laws, regulations and other organizational policies.
• The code could violate software licensing terms or subject an organization to unanticipated terms.

How to identify shadow code

Because shadow code executes within web browsers, identification should focus largely on the client side, not the server side. Many tools can monitor the code executing in web browsers, including application security monitoring and browser tools. CISOs should mandate the use of these tools and closely monitor their logs and alerts to rapidly identify the use of shadow code.

Organizations should create and maintain an up-to-date inventory of all the code it uses, including first-party and third-party code and code services. Compare this inventory to detected code to improve the accuracy of shadow code detection. Constantly monitor approved code, both in operational environments and in code repositories, to identify any calls to shadow code and to detect any changes to code that could indicate new uses of shadow code.

How to manage and prevent shadow code

Managing and preventing shadow code requires a combination of methods, including the following:

• Ensure developers and other personnel, contractors and vendors involved in web application development are aware of shadow code risks and train teams on the procedures to properly assess all code.
• Make it easy and quick for developers and others to request use of safe third-party code.
• Set automatic triggers for a cybersecurity assessment process when new third-party code is detected within the enterprise.
• Have automated tools and processes in place to regularly review the security of all code, with trained personnel reviewing and validating automation outputs.
• Enforce content security policies that restrict code execution by web browsers.

When planning how to manage and prevent shadow code, always keep in mind that once code is in production, it's much harder to change its configuration or remove it from the enterprise entirely. Identifying shadow code early in the software development process and preventing it from being executed in production environments will help safeguard the enterprise's cybersecurity.

Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.