Third-party app attacks: lessons for the next frontier in cybersecurity


Were you unable to attend Transform 2022? Check out all Summit sessions in our on-demand library now! Look here.

Consider the following cybersecurity breaches — all within the last three months: GitHub, the leading cloud-based source control service, discovered hackers were using stolen OAuth tokens issued to third-party applications to download data from dozens of customer accounts; Mailchimp, a leading e-marketing company, found a data leak where hundreds of customer accounts were compromised with stolen API keys; and Okta, the leading employee authentication service, left 366 corporate customers vulnerable after hackers exploited a vulnerability to gain access to internal networks.

These three incidents have one thing in common – they all were Attacks on the service chainie violations where the attacker used access to third-party services as a back door into the company’s sensitive core systems.

Why this sudden cluster of related attacks?

With ongoing digital transformation and increasing cloud-based, remote, or hybrid working, organizations are increasingly integrating third-party applications into their corporate IT fabric to increase productivity and streamline business processes. These integrated apps drive efficiencies across the enterprise—hence their skyrocketing popularity. The same goes for low-code/no-code tools that allow non-coding “citizen developers” to create their own advanced app-to-app integrations easier than ever.


MetaBeat 2022

MetaBeat will bring together thought leaders on October 4th in San Francisco, California to provide guidance on how Metaverse technology will transform the way all industries communicate and do business.

Register here

Security and IT teams want However, helping companies adopt these new technologies to drive automation and productivity are increasingly understaffed and overburdened. The rapid growth of new integrations between third-party cloud apps and core systems is putting pressure on traditional third-party review processes and security governance models, overwhelming IT and security teams and ultimately creating a new, sprawling, largely unobserved attack surface.

If these integrations proliferate without adequate understanding and mitigation of the specific threats they pose, similar supply chain attacks will inevitably take place. Indeed, in 2021, 93% of companies Has suffered a cybersecurity breach due to third party suppliers or supply chain vulnerabilities.

Here is why Executives must confront this new generation of supply chain cyberattacks how.

The third-party app promise—and problem

The proliferation of third-party applications is a double-edged sword – they provide productivity, but also contribute to a vast new attack surface for businesses.

App marketplaces with thousands of add-ons allow “non-technical” employees to freely and independently integrate various third-party apps into their custom work environment to boost their own productivity, organization, and efficiency. Such acceptance is fueled by the rise of product-driven growth, as well as the desire of individual employees to keep up with the accelerating pace of the work processes around them. For example, a marketing operations manager testing a new SaaS prospecting tool could integrate it directly with Salesforce to sync leads automatically.

The same is true for engineering, development, and IT teams, who are increasingly authorizing third-party tools and services with access to their organization’s core engineering systems via SaaS, IaaS, and PaaS to streamline development efforts and increase agility. For example, consider an engineering team lead using a new cloud-based development productivity tool that relies on API access to either the GitHub source code repository or Snowflake’s data warehouse.

Complicating matters further is the increasing popularity of low-code/no-code platforms and other platform-as-a-service (iPaaS) integration tools like Zapier, Workato, and Microsoft Power App. The ease with which these tools allow anyone to create advanced integrations between critical systems and third-party apps makes this web of app integrations even more tangled.

These applications are often integrated by employees into their workflows without going through the rigorous security vetting process that typically takes place when organizations acquire new digital tools, exposing organizations to a whole new target for cyber breaches.

And even if security teams could Reviewing the security posture of each and every third-party app before employees integrate them with core systems like Salesforce, GitHub, and Office 365 could leave vulnerabilities that would provide malicious actors with a clear path to access core systems. A recently announced Vulnerability in GitHub apps shows this risk; the exploit-enabled escalation of privilege that potentially granted excessive privileges to malicious third-party applications.

The promise of third-party integrations is great efficiency, productivity, and employee satisfaction. However, the rate of third-party app adoption is skyrocketing without employees or IT teams fully understanding and having visibility into the security and compliance threats posed by this increasing number of third-party connections.

Where legacy solutions fail

Existing security solutions cannot keep up with the fast-growing interconnectivity challenges of third-party applications. Legacy approaches often focus on user access (rather than application access) since that was previously the primary threat vector. They also tend to focus on the vulnerabilities of standalone applications – not connectivity between the apps – and are designed to address limited environments like SaaS business applications alone. These solutions were also intended to accommodate a slower pace of cloud adoption, allowing all third-party services to undergo a thorough, lengthy manual vetting process.

With app-to-app connectivity proliferating rapidly today, these solutions simply fall short, leaving inadequately secured third-party connections open to potential attacks, privacy breaches, and compliance violations. Such gaps leave the doors wide open for the kind of service chain attacks we’ve seen with GitHub, Mailchimp, and Okta.

What immediate actions can CISOs take to improve their security posture?

CISOs can start by creating a centralized inventory of every single third-party connection in the organization across all environments, and understand any programmable accesses that can expose their critical resources and services. This overview must not only consider SaaS deployments, but also all critical cloud environments.

It must also use context analysis to identify the real thing exposure of the connections of each app. For example, one app might have many connections but only to a core system with low privilege levels, while another might have a small number of connections with highly privileged privileges. Each of these requires a different security approach and should not be lumped together. This is where CISOs should consider using “exposure scoring” — a standardized metric to assess the severity or impact of vulnerabilities in third-party integrations — to assess the app-to-app connectivity landscape at a glance.

The next step is to identify the risks posed by each app in this inventory. CISOs need to identify external connection threats, integration abuse, and other anomalies that could pose a threat. This can be challenging due to variations from one app to another, so security leaders need to look for tools that can continuously monitor and detect threats above a bunch of apps.

To reduce the attack surface, security leaders should also evaluate the permission levels granted to each integration. This means removing or reducing permissions for any previously authorized OAuth applications, credentials, and integrations that are no longer needed or are too risky – similar to offboarding users who have left a company or team.

CISOs should consider which overprivileged third-party integrations should be selectively restricted and which settings should be less permissive.

Finally, CISOs should manage the integration lifecycle of all third-party apps from the moment of inception. Security teams should look to security tools to gain control over all app layer access, set policies for enforcement, and prevent policy deviations.

Secure the future of third-party apps

When third-party apps integrate with core business systems to increase productivity, they expose the entire system to the risks of service chain attacks, data leaks, account takeovers, and insecure authorizations.

Looking at the API management market alone, it is expected to grow 35% by 2025, organizations need to address the security risks posed by these applications sooner rather than later. The malicious attacks on Github, Okta, and Mailchimp show just that — serving as a warning to those who haven’t been hacked yet and those wanting to avoid another attack.

Alon Jackson is CEO and co-founder of Astrix Security.

data decision maker

Welcome to the VentureBeat community!

DataDecisionMakers is the place where experts, including technical staff, working with data can share data-related insights and innovations.

If you want to read about innovative ideas and up-to-date information, best practices and the future of data and data technology, visit us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read more from DataDecisionMakers


Comments are closed.