New research exposes major SaaS vulnerabilities

Major SaaS Vulnerabilities

Because many of the high-profile cyberattacks of 2023 involved one or more SaaS applications, SaaS has become a genuine concern in many boardroom discussions. More than ever, as GenAI applications are essentially SaaS applications.

Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in the fourth quarter of 2023. Their research shows how companies use SaaS today, and the wide variety of threats that arise from that use. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides best practices to mitigate them and ensure SaaS can be used at scale without compromising security.

The TL;DR version of SaaS security

2023 brought some now infamous examples of malicious actors using or directly targeting SaaS, including North Korean group UNC4899, the 0ktapus ransomware group, and Russia’s Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively). , and probably many others that often go unannounced.

The initial insight from this research reinforces the concept that SaaS is the new supply chain, and provides an almost intuitive framework for the importance of securing SaaS use. These applications are clearly an integral part of the modern organization’s set of tools and vendors. That said, long gone are the days when any third party with access to corporate data had to go through security or IT approval. Even in the most rigorous companies, if a diligent employee needs a quick and efficient solution, they will seek it out and use it to get their work done faster and better. Think again about the widespread use of GenAI, and the picture is clear.

Therefore, any organization concerned about the security of its supply chain should implement SaaS security measures. According to the MITER ATT&CK ‘Trusted Relationships’ technique (T1199), a supply chain attack occurs when an attacker targets a supplier to exploit as a means to infiltrate a broader network of companies. By entrusting sensitive data to third-party SaaS vendors, organizations expose themselves to supply chain risks that extend beyond immediate security concerns.

Four common SaaS risks

There are several reasons and ways SaaS is being targeted. The good news is that most risks can be significantly reduced if they are monitored and controlled. Basic SaaS security capabilities are even freesuitable for organizations that are just starting to develop their SaaS security posture or want to benchmark it against their current solution.

1) Shadow SaaS

The first problem with SaaS usage is the fact that it often goes completely unnoticed: the number of applications used by organizations is typically 250% greater than what a simple and frequently used query of the workspace reveals.

Among the companies analyzed:

  • 41% of requests were used by only one person, resulting in a very long string of unapproved requests.
  • One in five users were using applications that were not being used by anyone else within their organization, putting a strain on security and resources.
  • 63% of single-user applications were not even accessed within a three-month period, which begs the question: why keep them connected to corporate data?
  • 96.7% of organizations used at least one application that experienced a security incident in the past year, confirming the ongoing risk and the need for proper mitigation.

2) MFA bridging

Wing’s research highlights a trend where users are choosing to use a username/password to access the services they need, bypassing existing security measures (see Figure 1).

Major SaaS vulnerabilities
Image 1: From Wing Security’s research, bypassing MFA.

3) Forgotten tokens

Users grant tokens to the applications they need; this is necessary for the SaaS applications to achieve their goals. The problem is that these tokens are often forgotten after a few or just one use. Wing’s research found that there was a large amount of unused tokens over a three-month period, creating an unnecessarily large attack surface for many customers (Figure 2).

4) The new risk of Shadow AI

In early 2023, security teams focused on a select number of well-established services that provide access to AI-based models. However, as the year progressed, thousands of conventional SaaS applications adopted AI models. The research shows that 99.7% of companies used applications with integrated AI capabilities.

Organizations had to agree to updated terms and conditions that allowed these applications to use and refine their models using the organization’s most confidential data. Often these revised terms have flown under the radar, along with the use of AI itself.

There are several ways AI applications can use your data for their training models. This can take the form of learning your data, storing your data, and even having a human manually review your data to improve the AI ​​model. According to Wing, this possibility is often configurable and completely avoidableprovided it is not overlooked.

Solving SaaS security challenges in 2024

The report ends on a positive note, listing eight ways companies can mitigate the growing threat of the SaaS supply chain. Included:

  1. Continuous shadow IT discovery and management.
  2. Prioritize remediation of SaaS misconfigurations
  3. Optimize anomaly detection with predefined frameworks and automate where possible.
  4. Discover and monitor all AI-using SaaS applications, and continuously check your SaaS for updates to their terms and conditions regarding AI use.

For the full list of findings, tips for ensuring secure SaaS use, and a 2024 SaaS security forecast, download the full report here.



#research #exposes #major #SaaS #vulnerabilities

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Russian Turla Hackers

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Next Post
Mobile Banking Malware Attacks

Chinese hackers use deepfakes in advanced malware attacks on mobile banking

Related Posts