Third-party app attacks: lessons for the next frontier in cybersecurity

Consider the following cybersecurity breaches – all from the past three months: GitHub, the leading cloud-based resource monitoring service, discovered that hackers took advantage of stolen OAuth tokens issued to third-party applications to download data from dozens of customer accounts; Mailchimp, a leading emarketing company, found a data leak where hundreds of customer accounts were compromised using stolen API keys; and Okta, the leading employee authentication service, left 366 business customers vulnerable after hackers exploited a security breach to gain access to internal networks.

These three incidents have one thing in common: they were all service supply chain attacksmeaning breaches where the attackers benefited from access granted to third-party services as a back door to the sensitive core systems of the companies.

Why this sudden cluster of related attacks?

As digital transformation and the proliferation of cloud-based, remote or hybrid work continues, companies increasingly weave third-party applications into the fabric of their corporate IT to facilitate productivity and streamline business processes. These integrated apps increase efficiency across the enterprise – and thus their sudden rise in popularity. The same goes for low-code/no-code tools, which allow non-coding “citizen developers” to make their own advanced app-to-app integrations easier than ever before.

Security and IT teams want to support the company in adopting these new technologies to drive automation and productivity, but are increasingly understaffed and overworked. The meteoric rise of new integrations between third-party cloud apps and core systems is putting pressure on traditional third-party assessment processes and security management models, overwhelming IT and security teams, ultimately creating a new, vast, largely uncontrolled attack surface.

If these integrations proliferate without adequate understanding and mitigation of the specific threats they pose, similar supply chain attacks will continue to occur. Indeed, in 2021 93% of companies have experienced some form of cybersecurity breach due to third party suppliers or weakness in the supply chain.

Here is Why executives must face this new generation of cyber-attacks in the supply chain and how.

The Third-Party App Promise – And Problem

The proliferation of third-party applications is a double-edged sword: it provides productivity, but also contributes to a vast new attack surface for businesses.

App marketplaces that offer thousands of add-ons allow “non-technical” employees to freely and independently integrate various third-party apps into their individual work environments for the sake of their own productivity, organization, and efficiency. Such adoption is driven by the emergence of product-driven growth, as well as the desire of individual employees to keep up with the ever-faster pace of work processes around them. For example, a marketing operations manager trying out a new SaaS prospecting tool can integrate it directly with Salesforce to automatically sync leads.

The same is true for engineering, devops and IT teams, who are increasingly authorizing third-party tools and services with access to their organization’s core technical systems in SaaS, IaaS and PaaS to streamline development efforts and increase agility. Take, for example, a technical team leader using a new cloud-based developer productivity tool that relies on API access to the GitHub source code repository or to the Snowflake data warehouse.

Complicating matters further is the increasing popularity of low-code/no-code platforms and other integration platform-as-a-service (iPaaS) tools such as Zapier, Workato and Microsoft Power App. The ease with which anyone can create sophisticated integrations between critical systems and third-party apps using these tools makes this web of app integrations even more complicated.

These applications are often integrated into their workflows by employees without undergoing the rigorous security assessment process that usually occurs when companies acquire new digital tools, exposing businesses to an entirely new attack surface for cyber-breach.

And even as security teams could By examining the security posture of each individual third-party app before employees integrate them with core systems such as Salesforce, GitHub, and Office 365, vulnerabilities may remain that would provide a clear path for malicious actors to access core systems. A recently unveiled GitHub Apps Vulnerability demonstrates this risk; the exploit allowed privilege escalation that potentially granted excessive permissions to malicious third-party applications.

The promise of third-party integrations is great efficiency, productivity and employee satisfaction. However, adoption of third-party apps is skyrocketing without employees or IT teams fully understanding and understanding the security and compliance threats posed by this rising number of third-party connections.

Where legacy solutions fall short

Existing security solutions cannot handle the rapidly growing challenges of third-party app interconnectivity. Legacy approaches often focus on user access (rather than on applications), as this was previously the primary threat vector. They also tend to focus on the vulnerabilities of standalone applications – not the connectivity between the apps – and are built to handle limited environments, such as just SaaS business applications. These solutions were also designed to accommodate a slower pace of cloud adoption so that all third-party services could undergo a thorough, lengthy manual review process.

With app-to-app connectivity growing rapidly these days, these solutions simply fall short, exposing improperly secured third-party connections to potential attacks, data breaches, and compliance violations. Such gaps leave the doors wide open for the type of service supply chain attacks we saw with GitHub, Mailchimp, and Okta.

What immediate actions can CISOs take to improve their security posture?

CISOs can start by creating a one-stop inventory of every single third-party connection in the organization, across all environments, gaining visibility into all the programmable access that could expose their critical assets and services. This overview should take into account not only SaaS deployments, but also all critical cloud environments.

It should also use contextual analysis to determine the actual exposure of each app’s connections. For example, one app may have many connections, but only with a core system with low permission levels, while another may have a small number of connections with very privileged permissions. Each of these requires a different security approach and should not be lumped together. Here, CISOs should consider using “exposure scoring” – a standardized measure for assessing the severity or impact of a third-party integration vulnerability – to evaluate the app-to-app connectivity landscape at a glance.

The next step is to detect the risks of each app in this inventory. CISOs must identify remote connection threats, integration abuse, and other anomalies that could pose a threat. This can be challenging due to variations from one app to another, so security leaders should look for tools that can continuously monitor and detect threats about a series of apps.

To reduce the attack surface, security leaders also need to assess the permission levels granted to each integration. This means removing or reducing permissions for previously authorized OAuth applications, credentials, and integrations that are no longer needed or are too risky — similar to the process of offboarding users who have left a company or team.

CISOs should consider questions such as which overprivileged third-party integrations should be selectively restricted and which should have less permissive settings.

Finally, CISOs must manage the integration lifecycle of third-party apps from the point of adoption. Security teams need to look for security tools to take control of all access to the app layer, set enforcement barriers, and prevent policy deviations.

Securing the future of third-party apps

When third-party apps integrate with companies’ core systems to boost productivity, they expose the entire system to the risks of service supply chain attacks, data breaches, account takeover, and insecure authorization.

Given that the API management market alone is expected to expand 35% by 2025, organizations need to address the security risks of these applications sooner rather than later. The malicious attacks on Github, Okta, and Mailchimp demonstrate just that — serving as a warning to those who haven’t been hacked yet and those who want to avoid another breach.

Alon Jackson is CEO and Co-Founder of Astrix Security.