Bryan Grillo
CHEN PR for Source Defense

First-of-its-Kind Report Sizes Massive “Shadow Code” Risk for World’s Largest Businesses

Third-party digital supply chains from retail to healthcare expose all to major potential security and privacy compliance breaches; financial services most exposed and exceeding average external code on sensitive pages by nearly 60%.

ROSH HA’AYIN, Israel and NEW HAVEN, Conn., May 25, 2022 Source Defense, a pioneer in web application client-side protection, today announced the results of a study, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties, that for the first time sizes the security, privacy, and compliance risks that are literally designed into the digital supply chains of major business websites. This risk, originating from highly dynamic and unpredictable scripts and code from third parties and beyond, permeates every aspect of a business’s web presence. On the whole, this report sheds light on a woefully underestimated risk that most famously resulted in the theft of financial and personal information for more than 400,000 British Airways passengers in 2018, and resulted in the largest fines ever from the British Information Commissioner’s Office (ICO).

Organizations collecting sensitive information, enabling business transactions or conducting commerce through their web properties, are under a constant risk of attack. The pace of adversarial activity is only increasing as retail and e-commerce companies enjoy exponential growth, as travel and lodging needs increase post-pandemic, and as healthcare and financial services transactions move more critical and sensitive functions online.

The top line report findings discovered an average of 15 externally generated scripts on each site, with an average of 12 scripts specifically on sensitive pages. Financial services was the most exposed vertical, with nearly 60% more scripts on average resident on sensitive pages, and double the number per page overall, with triple the amount of fourth-party scripts. The data comes from an analysis of 4,300 of the world’s largest websites across the most prevalent verticals during the first quarter of 2022 to identify both security and compliance issues lurking within the website digital supply chain. The company mapped the concerning sprawl of third- and fourth-party scripts across each website, on individual pages – including sensitive pages that come in contact with PII, financial data, etc. – and the usage and variance across the most prevalent verticals.

“While retail and credit card breaches grab the most headlines, this is a pervasive and relatively unchecked risk to both security and privacy across all verticals,” said Dan Dinnar, CEOof Source Defense. “It’s also a fast-growing and extremely volatile issue with regard to sensitive data. Organizations and their digital supply chain partners are constantly updating sites and code, and the data of greatest value to malicious actors is collected on the pages where the business has the greatest need for analytics, tag management, and other tracking and management capabilities.”

Extensive libraries of third-party scripts are available free, or at low cost, from a range of communities, organizations, and even individuals, and are extremely popular as they allow development teams to quickly add advanced functionality to applications without the burden of creating and maintaining them. These packages also often contain code from additional parties further removed from – and farther out of the purview of – the deploying organization. Making matters worse, they operate remotely from a server belonging to the third party, to provide everything from social media connections to marketing tracking/analytics. If a script has been compromised, the shadow code comes with it and goes straight to the browser without organizational defenses able to detect it. From there, scripts can exfiltrate data to remote servers, redirect users to malicious websites, or lay the groundwork for formjacking, digital skimming, and credential harvesting attacks.

In analyzing the potential external script threat surface, Source Defense found additional risks including:

  • Nearly half of all sites (49%) had external code present with the ability to retrieve form input and “listen” to user button clicks, and more than one in five sites had external code with the ability to modify forms.
  • On average, one in four of all scripts represented fourth-party code, as did every one in five scripts on individual pages.
  • Per page, analysis found an average of five scripts, with at least one a fourth-party script. The number was much larger on sensitive pages, at an average of 12 external scripts in contact with everything from credentials to account and financial details.
  • The two most exposed verticals were financial services and healthcare, with an average of 16 and 13 third-party scripts, and 6 and 5 fourth-party scripts, respectively. And on sensitive pages, analysis found an average of 19 scripts in financial services and 14 scripts in healthcare.

For more information, please download the Source Defense report.

About Source Defense

Source Defense is a security and compliance platform for any website that collects sensitive data or is transaction-oriented. It addresses a ubiquitous gap in the management of third-party digital supply chain risk with a zero-trust model that extends security beyond the network to the client-side. As the market leader in web application client-side protection, Source Defense provides real-time threat detection, protection, and prevention of vulnerabilities originating in JavaScript. The patented Source Defense Platform offers the most comprehensive and complete solution to address threats and risks originating from the increased use of JavaScript, third-party vendors, and open-source code in websites today.

The Source Defense solution is deployed by leading Fortune 500 enterprises in the financial services, retail, e-commerce, and healthcare markets. Headquartered in Israel with branches across the U.S. and a strong community of global valuable partnerships, Source Defense is the most innovative, reliable, and trusted partner in the fight against client-side attacks. For more information, please visit

All product and company names herein may be trademarks of their respective owners.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.