Managing Shadow Code & the Blind Side in 3rd Party Risk – Stephen Ward – PSW #733

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list – both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks – click-jacking, digital skimming, formjacking, defacement, “Magecart” – exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world – costing household names like British Airways tens of millions – and they happen by the hundreds per month. Already in 2022, we’ve seen headlines of major client-side attacks like the one that hit Segway – potentially impacting nearly a million consumers.

This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side.

Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.

Segment Resources:

Our core whitepaper

Blog on the blind side topic

Free risk report on attendee’s web properties

This segment is sponsored by Source Defense. Visit to learn more about them Visit for all the latest episodes!

Full Episode Show Notes

Managing Shadow Code & the Blind Side in 3rd Party Risk


Stephen Ward

Stephen Ward – CMO at Source Defense

Stephen Ward is CMO at Source Defense – the pioneer in client-side security. He has been with the firm since late 2021 and is responsible for all aspects of go to market. Stephen is a serial cyber security entrepreneur with a 25-year long career in Marketing. In his career, he has been fortunate enough to work for some of the most innovative, category creating companies in our space. He helped bring forensics to the forefront in his time at NetWitness, helped drive change in endpoint security while at Invincea, brought threat intelligence to the mainstream while at iSight Partners, drove real change in OT/ICS security while at Claroty, helped create the cyber risk quantification market while at RiskLens and through his work with the FAIR Institute. Don’t hold his title against him – he’s more than a Marketing person – he’s been dedicated to driving better outcomes for the good guys in cyber security for the majority of his career.


Josh Marpet

Josh Marpet – Executive Director at RM-ISAO


Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Paul Asadoorian

Paul Asadoorian – Founder at Security Weekly


Paul Asadoorian is the founder of Security Weekly, which was acquired by CyberRisk Alliance. Paul spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.


  • Don’t miss any of your favorite Security Weekly content! Visit to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!