Digital Third-Party Code FAQs

Digital Third-Party Code FAQs

what is digital third-party code
What is digital third-party code?

Third-party code or digital third-party code (Digital 3PC) refers to code and assets running on a website or domain which are owned and operated (O&O) by one or more third-parties, and not by the domain itself.

Third-party code helps to enhance user experience across your online properties, but left unmanaged it can also constitute a risk to their safety. On average, 90% of the code across websites and mobile apps is operated by a third-party, and up to 3% of that code may serve malicious functions. Read more about third-party code.

What are examples of digital third-party code?

Examples of digital third-party code include the assets which drive programmatic advertising, content personalization, analytics, software plugins, payment and shopping cart functionality, content management and hosting providers, CRM and data management platforms, online chat platforms, and video and image libraries.

How is revenue impacted by digital third-party code?

Because digital third-party code drives advertising and monetization features and facilitates user experience through advanced web functionality, today it is essential to the revenue of any business that depends on the web for a substantial part of its marketing and income generation.

Left unmanaged, third-party code can also serve as a vehicle for malware attacks, malicious redirects, and unauthorized data collection that violates U.S and international privacy legislation, and more. This represents a threat to revenue in the form of fines, lawsuits and slower performance which leads to cart abandonment and higher bounce rates.

Today, the hefty fines imposed by privacy legislation, such as GDPR and CCPA, and the high cost of responding to a data breach make third-party code one of the most underestimated risks to business revenue in the digital ecosystem. Read more about the impact of third-party code on revenue.

What is third-party risk?

Digital third-party risk is defined by likelihood that third-party code will negatively impact your business by disrupting user experience across your websites and mobile applications, breaching your clients’ security, or put your business in violation of data privacy laws such as GDPR and CCPA.

What is third-party risk management?

Third-party risk management” encompasses the protocols an organization uses to oversee the digital third-party code operating on their websites and mobile apps to mitigate risk and communicate user consent with third-parties. Third-party risk management includes inventory - discovery and classification for all the code operating across websites and mobile apps, measuring and enforcing compliance across third-party vendors, and blocking or remediating malicious activity.

How do I mitigate the risk of third-party code?

The best way to mitigate risk from third-party code is to be aware of who and what is operating across your organization’s digital properties. This includes following strict third-party risk management guidelines, continually monitoring the activities of third-party code across your websites and mobile apps, and routinely auditing your third-parties for safety and compliance. To validate the safety of your business partners, you must ensure that they are compliant with data privacy legislation including GDPR and CCPA, and remove/block non-compliant code whenever it is discovered.

What are the risks of third-party code to your website?

On average, 90% of the code across your websites and mobile applications will be provided by third-parties. Although third-party code facilitates maximum user experience and drives revenue for your business, when left unmanaged it represents a risk to your organization and customers through the following activities:

  • Increase aggregate load times during user sessions which can result in lost sales, readership and decreased brand loyalty
  • Expose credit card details and other sensitive financial data to hackers
  • Download unwanted and potentially malicious “bloatware” onto a client’s device, including toolbars and browser extension
  • Reveal saved user preferences to competitors through third-party tracking cookies and device fingerprinting
  • Deliver malware to customers during their site visits or through mobile apps
  • Hijack customers and redirect them to competitors or malicious landing pages and phishing sites
  • Cause data privacy and compliance violations that can lead to fines, lost revenue and even lawsuits
How is third-party code weaponized?

Weaponization of third-party code occurs when third-party code is used to perform unauthorized, malicious or illegal functions on the website or mobile application which hosts. Weaponized third-party code may steal information from a user for resale on digital black markets, load malicious payloads with the purpose of extracting information from the user’s device, redirect the user to a phishing site, track them across the Internet and more.

What is a third-party data breach?

A third-party data breach occurs when user data from an organization’s website or mobile app is either stolen or improperly stored by a third-party entity, and subsequently exposed. Data stolen in a third-party data breach is sometimes sold to malicious actors, or to another third-party; other times, it is exposed in a non-encrypted, unprotected format through negligence on behalf of the third-party. A famous example of a third-party data breach is the Facebook breach of 2019, when “At the Pool” (a third-party Facebook app) exposed 22,000 user plaintext (unprotected) passwords, contributing to a much larger breach that impacted 540 million users.

What is a third-party entity?

In the context of cybersecurity, a third-party entity is any business, developer or organization that contributes code or assets to another business outside of an affiliate relationship. Third-party entities often serve as vendors for websites and mobile applications, providing digital assets that power monetization features, personalization and user experience.

What is third-party software?

Third-party software is software created, leased to or otherwise authorized for an organization’s use by an outside entity not directly affiliated with the organization itself. When mobile phone manufacturers such as Apple or Microsoft operate an app-store, most if not all of the apps are created, controlled and provided by third-party entities. Although an organization may impose terms on the third-party, it exercises no direct control over the design or functionality of its third-party software.

More FAQs from the Digital Ecosystem Authority

Dangers Third-party Code is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.