What is Shadow Code?
Shadow code means the unauthorized or unapproved use of software code or scripts during the software or application development process. The code may come from an internal library source or external repository, such as GitHub. The term ‘shadow code’ comes from the phrase ‘shadow IT,’ which means the use of unapproved IT software, services, and devices to help drive business operations.
Shadow code becomes dangerous when it is used without approvals—and more importantly—without the confirmation that it’s secure, not malicious, free from bugs and vulnerabilities, compliant, and can operate compatibly with other applications, without introducing risk.
The types of problems associated with shadow code include:
- Vulnerabilities—Even the best code developers make mistakes. Code vulnerabilities introduce the risk of security compromise.
- Malicious Intent—Sometimes threat actors intentionally create malicious code and place it in repositories with the hope that it will be downloaded by an organization. Rogue insiders can also introduce malicious code into first-party scripts.
- Incompatibility—In some instances, the code itself may be legitimate, but incompatible with code in other applications or systems. This incompatibility could introduce vulnerabilities and lead to an attack on other systems.
Shadow code threats include:
- Malicious code injection
- Magecart attacks
- Website defacement
- Data exfiltration or compromise of sensitive organizational or customer data
- Watering hole attacks (attacking users that visit your website)
- Script attacks
- SQL injections
- Ad injections
- Malicious code insertions
- Cross-site scripting (XSS)
Where is shadow code found?
Shadow code can be found anywhere script is found, including
- An internal repository.
- A legitimate open-source library or repository.
- Code loaded by vendors without organizational knowledge.
- Code injected by threat actors for malicious intent, such as in digital skimmers.
- Third-party plugins created for a content management system.