free counter
Tech

Third-party app attacks: Lessons for another cybersecurity frontier

Specialist technician professional engineer with laptop and tablet maintenance checking installing solar roof panel on the factory rooftop under sunlight. Engineers holding tablet check solar roof.

Image Credit: Thinkhubstudio/Getty

Were you struggling to attend Transform 2022? Have a look at all the summit sessions inside our on-demand library now! Watch here.


Think about the following cybersecurity breaches all from within days gone by 90 days: GitHub, the best cloud-based source control service, discovered that hackers capitalized on stolen OAuth tokens issued to third-party applications to download data from a large number of customer accounts; Mailchimp, a respected emarketing company,found a data breach where a huge selection of customer accounts were compromised using stolen API keys; and Okta, the best workforce authentication service, left 366 corporate customers vulnerable after hackers exploited a security breach to get usage of internal networks.

These three incidents have a very important factor in common these were all service supplychain attacks, meaning breaches where the attackers took benefit of access granted to third-party services as a backdoor in to the companies sensitive core systems.

Why this sudden cluster of related attacks?

As digital transformation and the surge in cloud-based, remote or hybrid work continues, companies are increasingly weaving third-party applications in to the fabric of these enterprise IT to facilitate productivity and streamline business processes. These integrated apps increase efficiency through the entire enterprise thus their sudden rise in popularity. Exactly the same holds true for low-code / no-code tools, which allow non-coding citizen developers to generate their very own advanced app-to-app integrations easier than previously.

Event

MetaBeat 2022

MetaBeat provides together thought leaders to provide help with how metaverse technology will transform just how all industries communicate and conduct business on October 4 in SAN FRANCISCO BAY AREA, CA.

Register Here

Security also it teams want to aid the business enterprise in the adoption of the new technologies to operate a vehicle automation and productivity, but are increasingly understaffed and overburdened. The rapid rise of new integrations between third-party cloud apps and core systems puts pressure on traditional third-party review processes and security governance models, that is overwhelming IT and security teams and ultimately developing a new, sprawling, largely unmonitored attack surface.

If these integrations proliferate without sufficient understanding and mitigation of the precise threats they pose, similar supply chain attacks are bound to help keep happening. Indeed, in 2021, 93% of companies experienced a cybersecurity breach of some sort because of third-party vendors or supply chain weakness.

Heres why executives must confront this new generation of supply chain cyberattacks and how.

The third-party app promise and problem

The proliferation of third-party applications is really a double-edged sword offering productivity, but additionally adding to a sprawling new enterprise attack surface.

App marketplaces offering a large number of add-ons enable non-technical employees to freely and independently integrate various third-party apps to their individual work environments with regard to their very own productivity, organization and efficiency. Such adoption is driven by the rise of product-led growth, in addition to individual employees really wants to match the quickening pace of work processes around them. For instance, a marketing operations manager trialing a fresh SaaS prospecting tool might integrate it directly with Salesforce to automatically sync leads.

Exactly the same applies to engineering, devops also it teams, that are increasingly authorizing third-party tools and services with usage of their organizations core engineering systems across SaaS, IaaS and PaaS to streamline development efforts and increase agility. Take, for instance, an engineering team lead utilizing a new cloud-based dev productivity tool that depends on API usage of the GitHub source code repository or even to the Snowflake data warehouse.

What complicates matters a lot more may be the increasing popularity of low-code/no-code platforms along with other integration platform-as-a-service (iPaaS) tools like Zapier, Workato and Microsoft Power App. The ease with which these tools enable one to create advanced integrations between critical systems and third-party apps makes this web of app integrations a lot more tangled.

These applications tend to be integrated by employees to their workflows without undergoing the rigorous security review process that always happens when enterprises procure new digital tools, exposing companies to a completely new attack surface for cyberbreaches.

And also if security teams could vet the security posture of every individual third-party app before employees integrate them with core systems like Salesforce, GitHub, and Office 365, vulnerabilities could persist that could offer malicious actors an obvious way to accessing core systems. A recently disclosed GitHub Apps vulnerability demonstrates this risk; the exploit enabled privilege escalation that potentially granted excessive permissions to malicious third-party applications.

The promise of third-party integrations is excellent efficiency, productivity and employee satisfaction. However, the rate of third-party app adoption is skyrocketing without employees or IT teams fully understanding and having visibility in to the security and compliance threats posed by this soaring amount of third-party connections.

Where legacy solutions flunk

Existing security solutions cant match the rapidly-growing challenges of third-party app interconnectivity. Legacy approaches often address user (instead of application) access, as this is previously the principal threat vector. In addition they tend to concentrate on the vulnerabilities of standalone applications not the connectivity between your apps and so are created to address limited environments, like SaaS business applications alone. These solutions were also designed to match a slower pace of cloud adoption, in a way that all third-party services could undergo an intensive, lengthy manual review process.

Today, as app-to-app connectivity proliferates rapidly, these solutions simply flunk, leaving improperly secured third-party connections available to potential attacks, data breaches and compliance violations. Such gaps leave the doors spacious for the sort of service supply chain attacks we saw with GitHub, Mailchimp and Okta.

What immediate actions can CISOs try enhance their security posture?

CISOs can begin by developing a one-stop inventory of each single third-party connection in the business, across all environments understanding all programmable access that could expose their critical assets and services. This overview must account not only for SaaS deployments, but all critical cloud environments aswell.

It must leverage contextual analysis to recognize the specific exposure of every apps connections. For instance, one app may have many connections but and then a core system with low degrees of permission, while another may have a small amount of connections with highly privileged permissions. Each one of these takes a different security approach and shouldnt be lumped together. Here, CISOs should think about using exposure scoring a standardized metric for rating the severe nature or impact of any third-party integration vulnerability to judge the app-to-app connectivity landscape instantly.

The next thing is to detect the risks posed by every app in this inventory. CISOs must identify external connection threats, integration misuse, along with other anomalies that may pose a threat. This is often challenging because of variations in one app to some other, so security leaders must seek tools that may continuously monitor and detect threats across a range of apps.

To be able to decrease the attack surface, security leaders also needs to measure the permission levels granted to every single integration. This implies removing or decreasing the permissions to any previously authorized OAuth applications, credentials and integrations which are no more needed or are too risky like the procedure for offboarding users who’ve left an organization or perhaps a team.

CISOs ought to be considering questions like which over-privileged third-party integrations ought to be selectively restricted, and that ought to have less-permissive settings.

Finally, CISOs should manage the integration lifecycle of any third-party apps from the idea of adoption onward. Security teams should look for security tools to get control over-all app-layer access, set enforcement guardrails, and stop policy drifts.

Securing the continuing future of third-party apps

When third-party apps areintegrated with companies core systems to improve productivity, they leave the complete system subjected to the risks of service supplychain attacks, data leakage, account takeover and insecure authorization.

Taking into consideration the API management market alone is likely to expand 35% by 2025, organizations must address the security risks posed by these applications eventually. The malicious attacks on Github, Okta and Mailchimp demonstrate that and serve as a warning to those yet unhacked and the ones wanting to avoid another breach.

Alon Jackson is CEO and cofounder of Astrix Security.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, like the technical people doing data work, can share data-related insights and innovation.

In order to find out about cutting-edge ideas and up-to-date information, guidelines, and the continuing future of data and data tech, join us at DataDecisionMakers.

You may even considercontributing articlesof your!

Read More From DataDecisionMakers

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker