Shadow SaaS Integrations: A Growing Security Risk

The state of SaaS integration security has been top of mind for security practitioners of late, as SaaS-to-SaaS integrations are rapidly becoming a business reality. Organizations are leveraging SaaS efficiency and scalability, and interconnecting best-of-breed applications, just as malicious actors are using third-party integrations in increasingly sophisticated ways to execute high-profile attacks.

This growing interconnectivity creates a mesh of SaaS supply chain integrations, which grows with little or no security, visibility or governance. The nonhuman connections between applications are indiscriminate and are based on API connections and complex hyperautomation workflows — leading to unmanaged third-party access to the organization’s assets, over-provisioned privileges with no governance and a high-velocity exchange of data and privileges via an expanding network of indiscriminate and shadow connectivity.

From a security perspective, it’s an unmanaged and constantly growing risk surface, resulting in potential supply chain API-takeover attacks, consent phishing and OAuth abuse such as the SolarWinds attack campaign and others.

Shadow SaaS-to-SaaS Integration Report

In collaboration with YL Ventures and Panorays, Valence Security’s research team recently conducted an extensive survey to ascertain chief information security officers’ (CISOs) understanding of the extent of their SaaS security posture. Their responses were then compared to anonymized real-life data generated from Valence’s tenants and customers, and the gaps between CISO perception and reality were staggering.

The 2022 Shadow SaaS-to-SaaS Integration Report used these gaps and insights to ascertain CISOs’ ability to contend with SaaS risks and suggest what improvements can be made to help reduce them. Conversations I’ve had with prominent CISOs and leading security professionals on the results of our research present a pain point that is continuously on the rise.

Visibility into the Mesh

One of the most striking discoveries detailed in the report was the gap in a fundamental security aspect — the number of organizational SaaS-to-SaaS integrations.

While over half of the CISOs surveyed responded that their organizations have, at most, 200 integrations within their core SaaS applications, our data shows that the actual number is about five times their assessment.

When I discussed this eye-opening figure with Demi Ben-Ari, CTO and co-founder of Panorays, a tool provider for third-party security, he agreed that preliminary visibility and discovery of these integrations is a continuous challenge, with users not knowing that these integrations exist or how to track them. Astonishingly, our data shows that approximately 50% of these integrations are inactive or over-privileged in terms of the permissions that were granted to them.

Seventy-six percent of the CISOs we spoke with believe that their organization introduces up to 20 new integrations per month. In a typical tenant, however, our research revealed 73 new integrations per month. This is almost four times the number CISOs assumed.

Usually, these integrations are user driven. These users span across all business units — from engineering, sales, marketing, HR and others. The ease and business-forward approach of SaaS use now allow all users and teams to adopt their choice of SaaS applications and integrate them freely.

Compounding this fact is that visibility over SaaS integrations cannot be a point-in-time task, but organizations are overwhelmed by SaaS growth and sprawl and do not prioritize timely reviews. An entire contextual process should be in place for assessing integrations, the type of data flowing between them, the type of interaction and permissions they have, and what needs they serve. Context may change, and organizations have to be on top of this.

Scaling SaaS Security

This gap between CISOs’ perception of their security posture surrounding their SaaS integrations and the actual data will probably increase as SaaS use scales. Sounil Yu, CISO and head of research at security platform provider JupiterOne, said he sees this reality as a predicament to be managed — as prohibiting the use of SaaS applications altogether is not an option. One of the main misconceptions that led to this predicament is the longstanding reliance on the security mechanisms of SaaS applications and vendors, without ample consideration for the user’s own responsibility to configure, ensure and secure.

Organizations must realize what their risks are and how big their impact is before they prioritize them and decide where they fit within their overall risk surface.

Methodologies for managing the risks associated with SaaS adoption vary, as the size, sector and maturity of organizations affect the way they choose to address this issue. It all comes down to choosing between disruption or acceleration. Sounil agrees that large enterprises with a smaller SaaS footprint can operate quite well with aggressive SaaS controls that limit and govern their use.

Smaller organizations that must move fast and scale rapidly, however, need the latest tools and capabilities to do so — and security teams must allow such flexibility. These are not decisions made solely by security teams. This predicament, as Sounil calls it, was created due to the value of SaaS as a business driver, alongside its risks as a supply chain attack surface. A balance between these characteristics is strikingly difficult to achieve.

SaaS Risks on the Rise

Leveraging these gaps are malicious actors whose appetites have grown over the past two years amidst high-profile attacks — most of them leveraging third-party vendors and supply chain access. Attackers quickly realized that integrations are the weakest link in organizational security postures and focused on them as a gateway.

In a GitHub attack campaign, for example, attackers were able to breach well-known third-party vendors with access to GitHub through OAuth integrations, steal their tokens and abuse them in order to gain unauthorized access to GitHub repositories — stealing sensitive data and access codes.

Supply chain risks involve more than just a breach in the customer’s environment. In this attack, GitHub wasn’t breached, but one of the third-party vendors with access to GitHub was. Supply chain attacks today are becoming more sophisticated. Adversaries choose vendors with a widespread customer base to breach; they are no longer targeting the vendors themselves.

Once a high-profile attack is reported in the media, CISOs must rise up to the challenge of protecting both security and business interests.

The preliminary response entails questioning all distributed administrators and business units to ascertain if the attacked vendor is used in the organization, conducting post-breach incident response, undertaking a continuous inventory and performing risk assessments of the vendors involved as well as threat intelligence. The lack of a streamlined, automated process to answer the basic question — “Have we been breached?” — is concerning.

Ryan Gurney, CISO-in-residence at YL Ventures and a former CISO at Looker, shared with me that one of the primary mitigation strategies is validating your vendors. CISOs should make their third-party risk management (TPRM) questions targeted and contextualized, and target the “low hanging fruit” of unused tokens that can easily be revoked.

Vendor security controls aside, CISOs must consider what tools to use in order to minimize their attack surfaces as much as possible, so that when — not if — a breach occurs, the blast radius will also be minimal. Organizations must realize what their risks are and how big their impact is before they prioritize them and decide where they fit within their overall risk surface.

Automating Remediation across the Mesh

Valence Security provides organizations with deep visibility into their web of SaaS integrations and comprehensive risk reduction capabilities needed to mitigate this growing attack surface while supporting business needs. We offer a collaborative SaaS security remediation platform, automating remediation processes across the rapidly expanding mesh of third-party applications, integrations, users and data. Valence aims drives engagement between security teams and end users, applying automated security workflows to reduce risk and enforce consistent security guardrails, without impeding the speed of SaaS adoption and usage.