The Rise of Shadow Code

Shadow Code is the software development equivalent of Shadow IT. In Shadow IT, employees use cloud services and software that is not approved, monitored or supported by IT. Shadow IT can range from unauthorized SaaS subscriptions to AWS cloud servers spun up on a credit card without oversight or compliance.

Shadow Code is when developers include in applications third-party software code sometimes without approval or any safety validation. They do this because it is usually quicker than writing the functionality from scratch. The particular piece of Shadow Code may solve a problem more precisely or it may appear to be a better fit with other application components. Some examples of this can be shopping cart software, payment systems or responsive design requirements. Sometimes, too, developers mistakenly include shadow code that is fake but has a similar name (this is referred to as typosquatting).

In truth, Shadow Code has been around since the dawn of software. Most code is useful in more than one application, so naturally the reuse and copying of code has been a long accepted practice. What has recently changed is the volume of third-party code in use and the increasingly critical function that these third-party code libraries play in applications. Front-end applications, like websites, mostly consist of third-party code – some more than 70%. The primary form of third-party code used today are JavaScript libraries, although third-party code is used in all other modern languages including Ruby, Python and Golang. For websites, developers use third-party JavaScript libraries for almost all sensitive jobs including processing payment information, customer log-ins and more. Numerous SaaS providers (including PerimeterX) use JavaScript to extend application functionality out to customer websites. A big portion of JavaScript library usage, however, is for more mundane tasks like form validation, providing the correct date and time, and font delivery.

These third-party libraries and tools can make up a considerable percentage of middleware code that connects the front-end to the back-end databases and core application servers. Package managers allow websites to download multiple libraries or packages regularly and keep them all maintained via a centralized service.