The rise and risk of third-party code

Online Code Editors for Web Developers

The applications that make up the vast majority of today's hypercomplex technology stacks are heavily dependent on third-party code. Unfortunately, the significant benefits these prefabricated components provide are often compromised by the serious security implications of third-party architecture.

It is essential for modern businesses to not only recognize these risks, but also actively help stem the flow of attacks. Cutting-edge tools, including a next-generation WAF solution, may be the only way to ensure the existence of third parties.

1. Third-party code: Because why reinvent the wheel?

Third-party code describes all lines of a program that can be reproduced in different applications. This makes the process of developing an app easier, as code recycling can significantly reduce time to market. But even once the foundation of an app is laid, third-party code can be leveraged by its developers for ad tracking, customer reviews, payments, chatbots, tag management, social media integration or other helper libraries that simplify common functions.

The sheer usefulness and availability of third-party code has seen it infiltrate every corner of the internet: today, third-party code makes up up to 70% of every website. In the same survey, 99% of respondents said that sites used and produced by their organization contain at least one piece of third-party code.

Open source describes a type of third-party code, although the term third-party also refers to code developed externally, the license to use of which may have been purchased. Whatever the commercial price of this code, companies have for too long ignored the social and security costs.

2. The hidden danger of ghost code

Third-party code lends itself to the development of highly accessible sites and applications. While these no-code or low-code environments help lower the barrier of entry for entrepreneurs and enthusiastic hobbyists, it is essential to understand the risks. Cybercriminals are more than willing to take advantage of naive or careless developers. Sometimes it is not a lack of skills that allows them to infiltrate, but the strong pressure for rapid deployment.

Attackers grouped under the umbrella of Magecart have been taking advantage of third-party codes since 2015. This crime syndicate relies on the theft of digital credit cards, swiped by secretly injecting JavaScript code on e-commerce payment pages. Magecart has sown a wake of destruction with impressive stakes: Ticketmaster, British Airways and countless other online brands have all fallen prey to their attacks.

Two high-profile attacks took place in 2020: children's clothing manufacturer Hanna Andersson and British retailer Sweaty Betty were targeted. Both attacks are believed to have revolved around seemingly harmless site addons. However, hidden in these lines of code, Magecart attackers add a few key lines of JavaScript.

This third-party code often copies legitimate payment forms on an e-commerce site. However, there are crucial – tiny – changes made. For example, payment information is secretly sent to a server controlled by the attacker. The transaction itself is still authorized, meaning end users are left in the dark.

The attack on Hanna Andersson went unnoticed for several weeks – although it was a relatively quick discovery, with other victims remaining in the dark for almost a year. Most victims are only alerted when stolen credit card information appears on dark web marketplaces.

The cost is significant: Hanna Andersson was ordered to pay $400,000 in damages to more than 200,000 customers; the exact cost to individual victims is harder to determine, but stealing their name, shipping address, billing address, and payment card information allows attackers to cause incredible damage. Magecart attacks grew in popularity throughout the Covid-19 pandemic, seeing a 20% increase, while the average detection time reached 22 days.

Magecart may represent malicious third-party code, but even tested open-source code can accidentally cause one of the biggest security issues of this decade. Log4j describes an open-source logging library that has become one of the most important pieces of web architecture, responsible for relaying vital logging information to the development and maintenance team.

In 2021, however, the log4j library was discovered to be severely vulnerable to remote code execution. Hundreds of millions of devices are then put at serious risk, as the flaw is also relatively simple to exploit.

It is not realistic to completely forgo third-party code. More than 60% of the world's websites run on Apache and Nginx servers, and 90% of IT managers regularly use enterprise open source code. All modern software is built from pre-existing components, and rebuilding these functions from scratch would require massive investments of time and money to produce even relatively simple applications.

3. You can't get away with a patch.

Once integrated into an application, third-party code can be difficult to test, and even more difficult to secure. Fixes are entirely up to the developers; Even for active, well-intentioned developers, like those maintaining log4j functionality, fixes take a critical amount of time.

Fear not: a comprehensive security solution can offer multiple tools to virtually apply patches and ultimately stop attackers in their tracks. One such tool is the Web Application Firewall (WAF). It comes between the application and the end user, monitoring and filtering passing traffic. Next-generation WAFs offer automatic policy creation, as well as rapid rule propagation, to explicitly expand the safety net that third-party code needs.

While traditional WAF primarily focuses on monitoring external connections, Web Application and API Protection (WAAP) describes a more comprehensive protection suite. It incorporates the firewall-based approach to WAF, while focusing more on APIs. These pieces of code provide programmatic access to different applications and have historically been a major weak point in organizations' defenses.

Finally, run-time application self-protection (RASP) offers a compelling next step toward automated protection. Instead of being outside of the application code, RASP acts like a plugin, attaching to the internals of the application. Through its internal view of an application, RASP can monitor its behaviors and map typical logins and privileges that occur under the hood. Once a baseline behavior is established, RASP can then automatically detect – and, importantly, stop – suspicious behavior.

With a proactive suite of virtual patching measures in place, your security is able to keep pace with DevOps, while helping to negate the threat of cybercriminals and the resulting lawsuits.