Third-party code or digital third-party code (Digital 3PC) refers to code and assets running on a website or domain which are owned and operated (O&O) by one or more third-parties, and not by the domain itself.
Third-party code helps to enhance user experience across your online properties, but left unmanaged it can also constitute a risk to their safety. On average, 90% of the code across websites and mobile apps is operated by a third-party, and up to 3% of that code may serve malicious functions. Read more about third-party code.
Examples of digital third-party code include the assets which drive programmatic advertising, content personalization, analytics, software plugins, payment and shopping cart functionality, content management and hosting providers, CRM and data management platforms, online chat platforms, and video and image libraries.
Because digital third-party code drives advertising and monetization features and facilitates user experience through advanced web functionality, today it is essential to the revenue of any business that depends on the web for a substantial part of its marketing and income generation.
Left unmanaged, third-party code can also serve as a vehicle for malware attacks, malicious redirects, and unauthorized data collection that violates U.S and international privacy legislation, and more. This represents a threat to revenue in the form of fines, lawsuits and slower performance which leads to cart abandonment and higher bounce rates.
Today, the hefty fines imposed by privacy legislation, such as GDPR and CCPA, and the high cost of responding to a data breach make third-party code one of the most underestimated risks to business revenue in the digital ecosystem. Read more about the impact of third-party code on revenue.
Digital third-party risk is defined by likelihood that third-party code will negatively impact your business by disrupting user experience across your websites and mobile applications, breaching your clients’ security, or put your business in violation of data privacy laws such as GDPR and CCPA.
Third-party risk management” encompasses the protocols an organization uses to oversee the digital third-party code operating on their websites and mobile apps to mitigate risk and communicate user consent with third-parties. Third-party risk management includes inventory - discovery and classification for all the code operating across websites and mobile apps, measuring and enforcing compliance across third-party vendors, and blocking or remediating malicious activity.
The best way to mitigate risk from third-party code is to be aware of who and what is operating across your organization’s digital properties. This includes following strict third-party risk management guidelines, continually monitoring the activities of third-party code across your websites and mobile apps, and routinely auditing your third-parties for safety and compliance. To validate the safety of your business partners, you must ensure that they are compliant with data privacy legislation including GDPR and CCPA, and remove/block non-compliant code whenever it is discovered.
On average, 90% of the code across your websites and mobile applications will be provided by third-parties. Although third-party code facilitates maximum user experience and drives revenue for your business, when left unmanaged it represents a risk to your organization and customers through the following activities:
Weaponization of third-party code occurs when third-party code is used to perform unauthorized, malicious or illegal functions on the website or mobile application which hosts. Weaponized third-party code may steal information from a user for resale on digital black markets, load malicious payloads with the purpose of extracting information from the user’s device, redirect the user to a phishing site, track them across the Internet and more.
A third-party data breach occurs when user data from an organization’s website or mobile app is either stolen or improperly stored by a third-party entity, and subsequently exposed. Data stolen in a third-party data breach is sometimes sold to malicious actors, or to another third-party; other times, it is exposed in a non-encrypted, unprotected format through negligence on behalf of the third-party. A famous example of a third-party data breach is the Facebook breach of 2019, when “At the Pool” (a third-party Facebook app) exposed 22,000 user plaintext (unprotected) passwords, contributing to a much larger breach that impacted 540 million users.
In the context of cybersecurity, a third-party entity is any business, developer or organization that contributes code or assets to another business outside of an affiliate relationship. Third-party entities often serve as vendors for websites and mobile applications, providing digital assets that power monetization features, personalization and user experience.
Third-party software is software created, leased to or otherwise authorized for an organization’s use by an outside entity not directly affiliated with the organization itself. When mobile phone manufacturers such as Apple or Microsoft operate an app-store, most if not all of the apps are created, controlled and provided by third-party entities. Although an organization may impose terms on the third-party, it exercises no direct control over the design or functionality of its third-party software.
More FAQs from the Digital Ecosystem Authority
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.