3rd Party Risk Management , Geo Focus: Asia , Geo-Specific
SaaS Tools: Major Threat Vector for Enterprise Security
Enterprise Security Leaders Discuss How to Prevent and Mitigate SaaS AttacksThe growing reliance on third-party software and applications has enabled businesses worldwide to enhance operational efficiency, meet customer demand and lower infrastructure-related costs. But with the cybercrime world targeting software supply chains to maximize their gains, security leaders must find ways to mitigate risks associated with third-party applications embedded in their networks.
See Also: InfoSec: Applying AI to Third-Party Risk Management to Achieve Consistency
For example, NASCO, a healthcare technology company nestled in the lush green Whispering Pines neighborhood of Atlanta, Ga., suffered a data security incident from an SaaS application that enabled attackers to access the data of 1.6 million people.
Founded in 1987, NASCO develops digital health solutions for Blue Cross and Blue Shield companies that serve over 115 million members across all 50 U.S. states. The company reported in a filing with the Maine Attorney General that the security incident compromised health and personal information on diagnosis data, health insurance details, claims data and medical ID numbers - plus names, gender, dates of birth, addresses, phone numbers and SSNs.
The breach was tied to NASCO's use of MOVEit Transfer, a file transfer application developed by Burlington, Massachusetts-based Progress Software. In late May, the Clop ransomware group exploited a zero-day SQL injection vulnerability in the application and quickly developed a webshell to infect and steal data from underlying MOVEit Transfer databases.
NASCO wasn't alone. By December, an estimated 2,600 organizations, including 2,290 in the U.S., suffered data breaches related to the MOVEit vulnerability. German cybersecurity firm Kon Briefing, which has tracked MOVEit compromises since May, said the breaches affected up to 90 million people.
SaaS Adoption Soars, So Do Risks
The potential for cyber actors to target SasS vulnerabilities across supply chains is growing as organizations replace on-premises applications with SaaS to gain greater flexibility and scale.
SaaS applications run on the Internet, which mean users do not have to worry about installing and maintaining software and can simply pay a subscription fee to use a web-based application. With SaaS providers taking responsibility of their application's performance, maintenance and security, purchasing software off-the-shelf and hiring developers to maintain it is less appealing to many organizations.
Though SaaS application first hit the market in the late 1990s, the total number of SaaS applications in use worldwide grew tenfold between 2015 and 2023. Global spending on SaaS tools is expected to reach $317.5 billion in 2024. According to Fortune Business Insights, the global SaaS market may reach $1.2 trillion figure by 2032 at a CAGR of 18.4%.
SaaS providers constantly update their applications' interface and functionality to meet end users' needs, but frequent updates and code changes invariably lead to misconfigurations and code vulnerabilities such as broken authentication, cross-site scripting, weak cryptographic hashes, SQL injection and LDAP injection.
According to Cloud Security Alliance, up to 63% of security incidents at organizations are caused by SaaS misconfigurations, impacting 43% of organizations that use SaaS applications. With organizations storing personal and business-sensitive data on SaaS applications, any breach could lead to a major data leak.
The World Economic Forum highlighted in February the disproportionate impact of attacks on SaaS vulnerabilities, stating that attacks on 87 SaaS companies in 2023 ended up affecting over one thousand organizations in the U.S. alone.
Considering that tens of thousands of organizations have suffered breaches from insecure coding practices on part of software providers, do end users have options at the table to keep their data secure even if a third-party software integrated with their system is hacked?
Mitigating SaaS Application Attacks
Lucius Lobo, chief information security officer at Tech Mahindra, one of India’s top IT consulting companies, told Information Security Media Group that organizations no longer have the option to stay away from SaaS. "Be it major organizations or startups, everyone needs SaaS for various tasks, be it payment processing, workforce management, resource planning or to scale operations. Big Tech has killed on-premises offerings. Organizations have little choice because everything is SaaS," he said.
When considering SaaS security risks, organizations have to take into account whether the SaaS provider is an established player or a startup, Lobo said. Established players have the resources to invest heavily in the security of their applications, and are less vulnerable to code injection attacks.
Organizations do not have the auditing powers to measure an established vendor's security credentials and have no recourse but to trust the vendor. But when it comes to dealing with smaller companies, organizations can scrutinize encryption and cloud security practices, evaluate supply chains, check for vulnerabilities in the application code and conduct frequent security assessments.
Lobo said many organizations today rely on services such as SecurityScorecard, UpGuard and similar companies that keep track of vulnerabilities in enterprise software and alert users, giving them the opportunity to patch third-party software prior to exploitation.
Shankar Ramaswamy, solutions director at Bangalore-based IT consultancy giant Wipro, said organizations using third-party SaaS applications must focus on three major aspects - strengthen endpoint security, minimize the application' access to internal resources and replace passwords with multi factor authentication.
"If you’re dealing with an established vendor, you must ensure you have robust endpoint security in place to block malware attacks and implement the principle of least privilege to prevent malicious actors from conducting code injection attacks," he said.
Ramaswamy says organizations must also learn not to trust vendor's security claims and regularly perform penetration tests and audits of third-party applications. At the same time, users must insist on knowing which cloud platform is used to host business-sensitive data. If the end-user is a large organization, the best approach may be to host application data in its own cloud repository, he added.