YL Ventures and Valence Security on Wednesday reported that the average organization has 917 SaaS-to-SaaS third-party integrations — and some 48%, nearly half — sit unused, primarily because they are not properly offboarded after a failed proof-of-concept exercise.
The researchers explained that SaaS-to-SaaS third-party integrations leave core business applications like Microsoft 365, Google Workspace and Salesforce and the business-critical data in them open to supply chain attacks.
Yoni Shohet, co-founder and CEO of Valence Security, said both security practitioners and software-as-a-service (SaaS) security vendors have lagged in their past efforts to address this threat vector.
“The fact that nearly 50% of SaaS-to-SaaS third-party integrations sit abandoned should be a wake-up call for CISOs,” Shohet said. “While human access to core SaaS applications may be secure, access to the keys to the kingdom can still often be obtained through unmanaged non-human identities — these API and OAuth tokens significantly increase the risk of SaaS supply chain attacks.”
Other survey findings include the following:
- 53% of survey respondents don’t have a process to ensure proper correlation between third-party risk management and their integrations.
- 91% say they consider SaaS security of medium or high importance.
- 86% say they are unhappy with their current SaaS mesh visibility and risk reduction solutions.
Jon Gaines, senior cybersecurity consultant at nVisium, said SaaS has been a popular technology for more than a decade now, with no signs of slowing down. Gaines said the ability of SaaS to give maintenance and ultimately responsibility to another organization has become its competitive advantage.
“Nonetheless, supply chain attacks can still cause harm to your organization,” Gaines said. “The usability of one-click SaaS, for example OAuth, makes it trivial to grant access to your organization. As we continuously progress, the need to remove that access may not be so trivial, especially as the technical debt increases. So yes, it can be a gaping hole and a way for attackers to move laterally through your information systems.”