Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Consider the following cybersecurity breaches – all from within the past three months: GitHub, the leading cloud-based source control service, discovered that hackers capitalized on stolen OAuth tokens issued to third-party applications to download data from dozens of customer accounts; Mailchimp, a leading emarketing company, found a data breach where hundreds of customer accounts were compromised using stolen API keys; and Okta, the leading workforce authentication service, left 366 corporate customers vulnerable after hackers exploited a security breach to gain access to internal networks.
These three incidents have one thing in common – they were all service supply chain attacks, meaning breaches in which the attackers took advantage of access granted to third-party services as a backdoor into the companies’ sensitive core systems.
Why this sudden cluster of related attacks?
As digital transformation and the surge in cloud-based, remote or hybrid work continues, companies are increasingly weaving third-party applications into the fabric of their enterprise IT to facilitate productivity and streamline business processes. These integrated apps increase efficiency throughout the enterprise – thus their sudden rise in popularity. The same is true for low-code / no-code tools, which allow non-coding “citizen developers” to create their own advanced app-to-app integrations more easily than ever before.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Security and IT teams want to support the business in the adoption of these new technologies to drive automation and productivity, but are increasingly understaffed and overburdened. The rapid rise of new integrations between third-party cloud apps and core systems puts pressure on traditional third-party review processes and security governance models, which is overwhelming IT and security teams and ultimately creating a new, sprawling, largely unmonitored attack surface.
If these integrations proliferate without sufficient understanding and mitigation of the specific threats they pose, similar supply chain attacks are bound to keep happening. Indeed, in 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness.
Here’s why executives must confront this new generation of supply chain cyberattacks and how.
The third-party app promise – and problem
The proliferation of third-party applications is a double-edged sword – offering productivity, but also contributing to a sprawling new enterprise attack surface.
App marketplaces offering thousands of add-ons enable “non-technical” employees to freely and independently integrate various third-party apps into their individual work environments for the sake of their own productivity, organization and efficiency. Such adoption is driven by the rise of product-led growth, as well as individual employees’ desires to keep up with the quickening pace of work processes around them. For example, a marketing operations manager trialing a new SaaS prospecting tool might integrate it directly with Salesforce to automatically sync leads.
The same goes for engineering, devops and IT teams, who are increasingly authorizing third-party tools and services with access to their organization’s core engineering systems across SaaS, IaaS and PaaS to streamline development efforts and increase agility. Take, for example, an engineering team lead using a new cloud-based dev productivity tool that relies on API access to the GitHub source code repository or to the Snowflake data warehouse.
What complicates matters even more is the increasing popularity of low-code/no-code platforms and other integration platform-as-a-service (iPaaS) tools like Zapier, Workato and Microsoft Power App. The ease with which these tools enable anyone to create advanced integrations between critical systems and third-party apps makes this web of app integrations even more tangled.
These applications are often integrated by employees into their workflows without undergoing the rigorous security review process that usually happens when enterprises procure new digital tools, exposing companies to an entirely new attack surface for cyberbreaches.
And even if security teams could vet the security posture of each individual third-party app before employees integrate them with core systems like Salesforce, GitHub, and Office 365, vulnerabilities could persist that would offer malicious actors a clear path to accessing core systems. A recently disclosed GitHub Apps vulnerability demonstrates this risk; the exploit enabled privilege escalation that potentially granted excessive permissions to malicious third-party applications.
The promise of third-party integrations is great efficiency, productivity and employee satisfaction. However, the rate of third-party app adoption is skyrocketing without employees or IT teams fully understanding and having visibility into the security and compliance threats posed by this soaring number of third-party connections.
Where legacy solutions fall short
Existing security solutions can’t keep up with the rapidly-growing challenges of third-party app interconnectivity. Legacy approaches often address user (rather than application) access, as this was previously the primary threat vector. They also tend to focus on the vulnerabilities of standalone applications – not the connectivity between the apps – and are built to address limited environments, like SaaS business applications alone. These solutions were also intended to match a slower pace of cloud adoption, such that all third-party services could undergo a thorough, lengthy manual review process.
Today, as app-to-app connectivity proliferates rapidly, these solutions simply fall short, leaving improperly secured third-party connections open to potential attacks, data breaches and compliance violations. Such gaps leave the doors wide open for the type of service supply chain attacks we saw with GitHub, Mailchimp and Okta.
What immediate actions can CISOs take to improve their security posture?
CISOs can start by creating a one-stop inventory of every single third-party connection in the organization, across all environments – understanding all programmable access that may expose their critical assets and services. This overview must account not just for SaaS deployments, but all critical cloud environments as well.
It must also leverage contextual analysis to identify the actual exposure of each app’s connections. For example, one app might have many connections but only to a core system with low levels of permission, while another might have a small number of connections with highly privileged permissions. Each of these requires a different security approach and shouldn’t be lumped together. Here, CISOs should consider using “exposure scoring” – a standardized metric for rating the severity or impact of any third-party integration vulnerability – to evaluate the app-to-app connectivity landscape at a glance.
The next step is to detect the risks posed by every app in this inventory. CISOs must identify external connection threats, integration misuse, and other anomalies that might pose a threat. This can be challenging due to variations from one app to another, so security leaders must seek tools that can continuously monitor and detect threats across an array of apps.
In order to reduce the attack surface, security leaders should also assess the permission levels granted to each and every integration. This means removing or decreasing the permissions to any previously authorized OAuth applications, credentials and integrations that are no longer needed or are too risky – similar to the process of offboarding users who have left a company or a team.
CISOs should be considering questions like which over-privileged third-party integrations should be selectively restricted, and which should have less-permissive settings.
Finally, CISOs should manage the integration lifecycle of any third-party apps from the point of adoption onward. Security teams should seek out security tools to gain control over all app-layer access, set enforcement guardrails, and prevent policy drifts.
Securing the future of third-party apps
When third-party apps are integrated with companies’ core systems to boost productivity, they leave the entire system exposed to the risks of service supply chain attacks, data leakage, account takeover and insecure authorization.
Considering the API management market alone is expected to expand 35% by 2025, organizations must address the security risks posed by these applications sooner rather than later. The malicious attacks on Github, Okta and Mailchimp demonstrate just that – and serve as a warning to those yet unhacked and those seeking to avoid yet another breach.
Alon Jackson is CEO and cofounder of Astrix Security.