Our digital world is held together by “code” – the software that creates everything from operating systems (OS) that run our computers, mobile devices and virtually every other piece of hardware to smart watches to Amazon’s Alexa. But on top of that code is more software, which builds the apps that run on top of it.
There is no single universal OS – Microsoft, Google and Apple each has developed its own respective digital ecosystems, which are supported by an endless stream of apps made by third parties. The same holds true online, where websites are rarely built by one programmer nor one vendor. Instead each website is made up of layers of code upon code.
“Nobody builds an application from bare silicon up anymore. The overwhelming volume of code comprising some company’s product will have been written by some other outfit(s) entirely,” explained Jim Purtilo, associate professor of computer science at the University of Maryland.
According to research from the digital risk management firm The Media Trust, 65-95% of code on a typical consumer-facing website is developed by third parties. Beyond GitHub and libraries, enterprises increasingly rely on third-party code to provide the infrastructure and functionality necessary to deliver the features today’s consumers demand. Websites of all sizes then use this code for ads, analytics, retargeting and more – but in some cases the code can also be used for nefarious purposes, such as tracking consumer behavior and preferences.
While that may seem straightforward – if still not slightly creepy – this code could be used to track IP addresses, email addresses and when paired with geo-tracking could even pinpoint one’s location in real time!
Other concerns are that some scripts can cause poor performance on a website. This can result in pages that run slower – something that can impact a consumer’s desire to use the site. But the code can even change the layout and impact the look of a page in unexpected ways.
Even more worrisome is the fact that bad code can create gateways or other vulnerabilities that bad actors can exploit to gain access to an otherwise secure computer or network.
“Every application relies on operating system services in order to operate on files, access the network or interact with users; those services were implemented by thousands of programmers spanning hundreds of companies,” added Purtilo. “That right there leaves exposure, since an aggressor only needs to find a vulnerability in one of those suppliers’ wares in order to attack.”
Trust Since We Can’t Verify
Many consumers may agree to have their digital movements tracked – often whether they know it or not. Any time someone accepts the cookies on a website, it essentially provides consent for the site to collect one’s personal data.
This can be a problem because even if the site agrees not to utilize the data without user consent, many tracking scripts also don’t sanitize data properly. That enables bad actors to inject code into a legitimate website, which could be used to steal personal data including credit card numbers, addresses and other personal information.
Other times third-party scripting can result in cross-site scripting flaws, which could be merely annoying such as activating pop-up boxes, but it can result in something far more insidious, such as redirecting users to a malicious website. In extreme cases third party code can contain ransomware that can lock a user’s device.
Ideally this shouldn’t occur – websites should manage third-party code the way a home builder would vet the contractors and subcontractors that take on various jobs. Yet, realistically this is all but impossible.
“We’d like to inspect all code that is incorporated into our products, but in reality, the complexity of this task is enormous,” said Purtilo. “It is also not possible in some cases since the source needed to fully understand many services is intellectual property which is not published – we can use the services, but we can’t study how they were constructed. Choose libraries carefully – we must trust since we can’t always verify.”
Attack Vector
Ideally both internal and third-party components and applications should be subject to the same level of security verification. Too often third-party code simply isn’t tested and this creates the weakest links, which then become the “attack vendor” used by the bad actors.
“Defects and vulnerabilities seeded in code bases are unfortunately a common attack vector,” said Purtilo. “In a recent study, two of my students examined open source packages written in Python, a popular programming language, and found thousands of widely-used programs routinely incorporated vulnerabilities from these libraries.”
Purtilo said that it impacted web services, mobile apps and more, which was quite a broad exposure.
“We’re in the process of researching a security-aware package manager to assist developers in making better-informed decisions about use of third party software, though the work is still early,” he added.
Brand Responsibility
Many major brands have been hacked in recent years. Among those was the October 2017 breach of Equifax, one of the nation’s largest credit reporting companies, which exposed the records of more than 145 million Americans. We remember the Equifax breach even if we don’t generally remember that there were two distinct incidents. The first was the compromised Mongo database. Then, as part of the Equifax crisis communication strategy, their credit reporting request website was caught with compromised third-party code called Fireclick that provided analytics services. Once Fireclick was compromised, each site downstream became suspect – but today most people remember this as the Equifax breach and few have ever heard of Fireclick!
Too often, third-party code isn’t adequately tested to ensure it protects user data, and when a breach occurs the brand will be held responsible not the third-party code, even if it was at fault.
“You have to assure the code,” said technology industry analyst Rob Enderle of the Enderle Group. “Otherwise, any breach will come back on whoever decided to use it,” added Enderle. “If you can’t vet third party software, you shouldn’t use it.”
Final Code
The world runs on third-party code. It can provide powerful functionality that might otherwise not be available. Third party code can result in upfront monetary savings, as the cost of developing software in-house by a team can be far higher than purchasing out-of-the-box solutions. However, the rewards need to be weighed against the risks, including those of performance, privacy and security.