Understanding Risks on the SaaS Attack Surface

Written by

As cloud-based services surge, threat actors are becoming notably more aggressive in attack vectors that are especially effective across software-as-a-service (SaaS) applications.

With SaaS app owners mostly sitting outside of IT, the SaaS attack surface is open for cybercriminals to take advantage of security gaps, including those caused by human error or lack of security expertise.

Undoubtedly, SaaS apps are a big job for CISOs and security teams to manage. In 2023, the average number of SaaS apps per business reached 371, according to a study. In the meantime, the volume of data breaches is breaking new records, with the US reporting 2023 as its worst year on record.  

This article will survey key vectors on the SaaS attack surface to shed light on prevalent vulnerabilities in SaaS environments today.

Weak Password Security

Weak and insecure passwords are especially vulnerable in SaaS applications, where for most apps, especially those outside the core managed stack, all that stands between an attacker and the app is a password.

Poor password hygiene, including reusing the same credentials across apps, is especially risky where enterprises don’t deploy multi-factor authentication (MFA) login or have not integrated the app into the organization’s single sign-on (SSO).

Enterprise teams also commonly share passwords to save on SaaS licensing costs, which leads to skipping MFA when an option and opens up risk if access remains for ex-employees.

Non-human identities used for service accounts are also sensitive to password sprays, as usually there is no individual employee identity behind them.

Notably, the recent attack by Russia-based threat actor Midnight Blizzard on Microsoft in its Office 365 environment was carried out by brute force, exploiting the weak password security of an old testing account.

Enabled – By Default

SaaS apps each come with their own jungle of dozens or even hundreds of configurations and settings that if not properly secured, become a prime attack surface. Indeed, SaaS misconfigurations are one of the leading causes of SaaS data breaches, stolen SaaS data, and SaaS ransomware.

Using “Default” settings makes it easy to get up and going with SaaS apps, but the pitfalls are wide and deep. SaaS subscribers are ultimately responsible for managing software settings, not the providers. Even if set up properly, SaaS apps are highly sensitive to configuration drift, which leads to security gaps that leave the door open for threat actors.

In a recent DarkGate malware phishing attack on Microsoft Teams reported by AT&T Cybersecurity, the researchers noted that the attack vector was the default setting in Microsoft Teams that enabled external users to message those in other tenants.

Privileges Come with Responsibilities    

Admin privileges are highly sensitive for SaaS applications whose owners sit outside of the security team. The number of people with high privilege controls effectively widens the attack surface within any application, in the event of a misconfiguration or an identity credential-based breach.

To reduce the risk of this part of the SaaS attack surface, always enforce the principle of least privilege (PoLP) across the organization. This ensures that users have access to the resources they need to perform their jobs and avoids unnecessarily expanding the attack surface that can create unnecessary exposure to sensitive data.

The right number of privileged admins depends on the size of the organization, but it should always be at least two to ensure there is no abuse of app rights.

Yes, You Have My Permission

Employees don’t know the risks when installing third-party SaaS apps. Outside the view of the security team, apps can request an intrusive set of permissions or be malicious. As a result, SaaS-to-SaaS access is becoming an attack vector with serious consequences.

Authorizing access may grant the right to edit or delete company files, send emails on behalf of the user, create new files, or otherwise handle data in a way that poses a profound threat to the organization’s security.

Once a third-party SaaS application is compromised, important information can be stolen to gain entry into core apps and carry out a range of common attacks including ransomware, social engineering, and phishing.

Furthermore, when an employee connects a personal SaaS app (like Dropbox) to their enterprise account (like Office 365), their workplace is not governing their personal Dropbox account, resulting in further widening the SaaS attack surface.

A Holistic Approach to Managing SaaS

Understanding the SaaS attack surface is crucial for organizations to identify, assess, and mitigate risks effectively.

With SaaS attacks continuously exposing organizations to data leaks, breaches, and other potential disruptions to business operations, SaaS Security Posture Management (SSPM) is emerging to enable organizations to continuously assess security risk and manage SaaS applications’ security posture.

SSPM enables measurement of security posture for every app to gain deep visibility into the risks that could undermine SaaS Security, and thereby make it possible to prevent, detect, and respond to threats.

Brought to you by

What’s hot on Infosecurity Magazine?