Firms increasingly vulnerable to SaaS-based supply chain attacks: Study

The recent onslaught of cyber-attacks on Okta, MailChimp, GitHub, and others have shown that organisations are increasingly realising that third-party interconnectivity is now a liability. A new research now brings to light that Software-as-a-services or SaaS third-party integrations leave core business applications like Microsoft 365, Google Workspace and Salesforce and the business-critical data in them open to supply chain attacks.

The research done by YL Ventures and Valence Security said that the average organisation has over 900 SaaS-to-SaaS third-party integrations and nearly half or 48% sit unused, primarily because they are not properly offboarded after a failed proof-of-concept (PoC) exercise. Yoni Shohet, co-founder and CEO of Valence Security, said that both security practitioners and SaaS security vendors have lagged in their past efforts to address this threat vector.

In fact, in recent months attackers leveraging this growing attack vector and abusing SaaS-to-SaaS integrations for an easy way into the organisational supply chain. Giving an example of the GitHub attack campaign, Shohet said, attackers were able to steal and abuse OAuth tokens issued to well-known vendors like Travis CI and Heroku.

According to GitHub, the attackers were able to leverage the trust and high access granted to highly reputed vendors to steal data from dozens of GitHub customers and private repositories. With a considerable time gap between discovery, customer notification and remediation, many CISOs were left fretting that attackers may have been able to rapidly expand their reach and carry out broader attacks on their SaaS supply chains.

“The fact that nearly 50% of SaaS-to-SaaS third-party integrations sit abandoned should be a wake-up call for CISOs,” Shohet said. He added that the API and OAuth tokens significantly increase the risk of SaaS supply chain attacks. 

The survey also said that 53% of respondents don’t have a process to ensure proper correlation between third-party risk management and their integrations. While nine out of 10 CISOs considered SaaS security as important, 86% said that they are unhappy with their current SaaS mesh visibility and risk reduction solutions. 

In a September 2021 cyber security firm, Palo Alto Cloud Threat Report, the security team said that many organisations may have a false sense of security regarding their SaaS infrastructure and protection procedures. In reality, many organisations are vastly unprepared for the threats they face.

Another survey conducted by market research specialist Vanson Bourne for cloud security firm CrowdStrike, revealed 45% of the organisations surveyed were victims of a cloud supply chain attack in the past 12 months. Yet many organisations still aren’t doing enough to protect themselves. Globally, respondents estimate it would take 146 hours or close to a week to detect a cybersecurity incident last year, up from 117 hours in 2020.