The Rising Threat of Apps in the World of SaaS Platforms

Connectivity is productivity” has become the mantra of the 21st century, and the huge rise in economic activity and GDP in the internet era proves it. Yet, the more people are connected, the more difficult it is to maintain security.

A case in point is the marketplaces associated with some of the most important business connectivity platforms, like Slack, Salesforce and others, which are significantly growing their marketplaces to enable easy integrations with additional services. Developed by third parties, the apps in these marketplaces result in platforms being even more useful, enabling users to personalize them and making them more productive, saving the organization time and money.

However, those efficiencies can backfire – some of these marketplace apps’ security level is unclear, and the platforms that allow interaction with those apps don’t necessarily vet them. As a result, hackers could utilize app vulnerabilities to steal organization or personal employee data from the platform.

This lurking danger affects some of the biggest and most well-known platforms. For example, researchers in 2020 discovered a bug in Slack that could allow a hacker to take over accounts automatically by “exploiting an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests.” Using that flaw, researchers said, “An attacker could create a Slack add-on that advertises some great features but also reads channel data.” Slack subsequently fixed the issue and paid the individual who discovered the problem a bug bounty. Yet, that vulnerability could have easily been found by a bad actor.

The problem extends to nearly all platforms that allow third-party applications to interact with

APIs. A 2021 report by the SANS Institute said that poorly configured or insecure interfaces or APIs “are a major concern” and that misconfigured cloud resources – including those accessible by APIs – were responsible for nearly half of all attacks.

"The sheer interaction between platforms, devices and third-party apps could itself also be a source of outages or other issues"

The sheer interaction between platforms, devices and third-party apps could itself also be a source of outages or other issues. According to researchers at Columbia University, “security-oblivious designs of hardware and their interfaces can expose systems to new vulnerabilities.” In Salesforce, for example, third-party applications that rely on the platform’s OAuth protocol could open the door to bad actors because the permissions remain valid for all users unless they are actively halted. Unfortunately, that could apply to the many apps in the platform’s marketplace.

The traditional way to address this issue would be to restrict applications and services until they could be vetted for security. If the platforms aren’t prepared to do that, the burden must fall on organization security teams. However, even if they were to dedicate all of their working hours and resources to that, there is no way they would be able to cover all the territory. In addition, many of these services are constantly being updated, so the work is literally never-ending.

While security teams could restrict access to platforms and applications inside the office, the reality is that in many organizations, employees work part, or even all, of the time remotely and often use personal devices, full of personal apps, to connect to the company networks. In this era of remote work, many companies have also deployed on-prem resources on the cloud – consequently, employees are now able to integrate apps and other services with these corporate networks in ways they could not have while using an office’s on-location network. What this means is that system administrators and security teams have even less control over the SaaS that connects with servers than they did before.

In truth, the only way security teams can address these concerns is by “outsourcing” the work to an automated security system that can check the activity of platforms and apps employees are using. That security system could examine the interaction of platforms, applications, and resources accessed on organization servers. For example, if hackers try to hijack a Slack-associated application or if the application tries to steal user data, security teams would be alerted in real-time - enabling them to take action to prevent losses before they occur.

Attacks like these don’t get as much media attention on their own as ransomware attacks. Yet, that doesn’t make the need to defend against this threat any less relevant. In fact, targeting these SaaS applications can be a way into the software “supply chain,” a common vehicle bad actors can use to spread their poison – including ransomware. Security teams need to pay extra attention here because they are on their own – as the first and last line of defense. Utilizing advanced security systems could help fortify that line of defense and ensure that the productivity gains offered by platforms do not turn into a major loss.

What’s Hot on Infosecurity Magazine?