For companies, this meant an unmissable opportunity — by relying on peer-reviewed third-party modules, it became less needed to develop every piece of code in-house. In such a fast-paced industry, cutting product development time and cost directly translated to a competitive edge. Code reuse became the status quo of web development in the enterprise.
As specific product needs were met with specific community-built modules, the number of third-party modules of web apps (also known as code dependencies) quickly built up — today, averaging 1,000 dependencies per web app. And here, we must address security risk.
Each of these third-party modules represents a security liability. Companies have no control over this code but blindly trust their providers to keep it secure. However, most of these providers are individual developers who often don’t have stringent security in place and so may pose little challenge to seasoned attackers. After gaining control of one of these modules, attackers can then inject malicious code downstream in the web supply chain, breaching multiple companies in a single go. This malicious code then acts silently, siphoning valuable data such as credit card details or protected health information. [Editor's note: Jscrambler is one of a number of companies that sell services that address this issue.]
Recent findings by researchers from the Technical University of Darmstadt point out that this risk is much higher than commonly thought. Each of these third-party modules that companies amass by the hundreds contains, on average, 80 dependencies of its own. Considering these vast ramifications, Darmstadt researchers reached a startling conclusion: If 20 high-profile developer accounts are compromised by attackers, half of the ecosystem is breached. We’re talking about giant corporations worldwide being attacked from within their own code.
And while this same research urges npm stakeholders to put in place stricter code vetting and vulnerability analysis, the enterprise can’t afford to wait while still leaving it all to blind trust. Management must have a say on this, raising the right questions on third-party code security. Especially when considering that, in 2018, Web-based attacks cost companies $2.3 million on average, with the figure being $1.4 million for attacks achieved with malicious code.
It’s granted that third-party code isn’t going anywhere, as it’s still one of the main drivers of competitive product development. But it’s in learning to integrate externally sourced code securely that the enterprise will gradually mitigate this risk. Development and security teams must critically contemplate each piece of external code as a gateway for attacks. This means reducing dependencies whenever possible, gaining visibility of malicious code, and auditing code frequently and thoroughly.
Companies are still finding out about the devastating potential of these attacks in retrospect — when it’s too late. It’s time that enterprise gave this business liability proper attention — trusting third-party code responsibly, while actively keeping an eye out for web supply chain attacks.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How HR and IT Can Partner to Improve Cybersecurity."