What a time to be alive. Today, any employee has the power at their fingertips to string together multiple SaaS applications and data using no-code / low-code integrations that leverage authorization methods like OAuth grants. Want to sign up for a handful of productivity tools without ever creating a new username or password? It takes 2 minutes. Need to send sales alerts from your CRM to Slack? Easy peasy. Want to run a free code review tool on top of your development environment? Click and go. While these technologies have arguably helped organizations to smash data silos and democratize data-driven decision making, they also create a cascade of data security challenges.
Today, security teams face a complex mesh of SaaS applications, making it extremely difficult to answer the fundamental question of, “who (and what SaaS applications) have access to my corporate assets?” Attackers are taking advantage of this complexity to move laterally across the SaaS supply chain to get to the crown jewels.
To address this challenge, we are introducing new OAuth inventory and OAuth risk scoring capabilities in Nudge Security to help security teams manage the risks of SaaS-to-SaaS integrations. And, for existing customers and free trial users, it’s all built in and waiting for you—no additional costs or upgrades required.
From Day One, Nudge Security has discovered and inventoried OAuth grants as part of our SaaS asset discovery capabilities. Now, Nudge Security customers can more easily review and filter this information, organized under the “OAuth” tab. In addition, we introduced new OAuth risk scores to help IT and security teams immediately identify risky OAuth grants and prioritize response. It’s just one of the ways we’re helping modern organizations to better manage the ever-changing SaaS attack surface.
In the rest of this post, we’ll describe in detail what we released and why. For the TL;DR crowd, here’s the interactive tour:
First, a quick refresher: What is OAuth?
OAuth is a standards-based authorization framework that provides a convenient way to sign in to third-party applications without the use of credentials (e.g., username and password) each time. This is true for users and third-party applications. People commonly use OAuth to sign in to multiple applications using existing identities created in Google, Microsoft 365, Okta, Facebook, etc. This helps to cut down the number of credentials you need to create and keep track of, expedites SaaS signups, and helps to ensure that credentials are not shared with third-party providers.
People also commonly use OAuth to grant access from one SaaS application to another SaaS application in order to share data or enable other actions. You’ve probably seen hundreds of these requests by now, but here’s an example to jog your memory:
These types of OAuth grant requests have become fairly ubiquitous across SaaS applications. And, really, they’ve become somewhat of the fine print that you should read but don’t. As such, it’s easy for SaaS users (your employees) to be overly permissive in how SaaS data and access is granted.
Until now, it’s been a huge challenge for IT and security teams to maintain visibility of all of these OAuth grants and scopes. This is especially true for the portion of their SaaS estate that is unmanaged or unknown. But, why even bother trying to keep tabs on OAuth grants?
How do attackers abuse OAuth?
Unfortunately, given the widespread use of OAuth, attackers are finding ways to abuse it. One example we’ve seen lately is the creation of malicious fake applications and spoofed log-in pages to gain access to a person's account, as was the case in an incident Microsoft disclosed earlier this week. Once an attacker has gained access to the account, they can then use it to gain access to other resources such as financial data.
So, how does Nudge Security help?
Our goal is to help IT and security teams to adapt to the new realities of modern work, and this includes the situation we’ve described above: employees working from multiple locations and devices are able to adopt SaaS applications at will and connect them easily with no coding skills required.
To that end, we’ve introduced and improved our SaaS-to-SaaS risk management capabilities as part of our end-to-end solution for modern SaaS security. Here’s what’s new:
Improved OAuth inventory and classification
Now, you can view and monitor all OAuth grants in the product’s OAuth tab. With expanded classification criteria, you can filter by grant type (sign in or integration) and sort by application, age, number of scopes, the user who granted access, or by the new OAuth risk score.
You can drill down into any one of these individual grants to see a more detailed view of individual scopes and risks and OAuth history.
(Author’s note: One thing I especially love about the view below is that we lay out the OAuth relationships with natural language. I always find it a bit confusing to use terms like parent or authorizer to define which direction the OAuth grant is facing, so here you get a really nice, simple way of reading it.)
New OAuth risk scoring
Not all OAuth scopes are created equal. Some request read-only access to nominal data, while others request far-reaching abilities to share your data with other third parties or even send emails on your behalf. Understanding and determining the risk of each OAuth scope is an exercise in reading the fine print for each one. This could mean reviewing tens of thousands of scopes, and I don’t know any security practitioners who have time for that.
We’ve introduced a new OAuth risk scoring feature that automatically determines the risk level of each individual OAuth scope and calculates an overall OAuth risk score for each OAuth grant. So now, security teams can surface the riskiest scopes in their most business-critical SaaS applications, and prioritize their response accordingly. We use traffic light colors to make it even more obvious which grants and scopes require a closer look.
New custom notifications for OAuth risks
Finally, we introduced new notification rule criteria, so you can be alerted (or send alerts downstream to your SIEM, SOAR, security analytics, or IT workflow tools) whenever new OAuth risk is discovered. You can even customize the risk score threshold for your alerts based on your own policies and needs. We’ll continue to further develop automation capabilities around OAuth risk, and in the meantime, we encourage feedback from customers and free trial users.
Speaking of, if you haven’t already started your free trial of the product, here’s your nudge.
While managing OAuth risk is a critical part of protecting the SaaS attack surface, looking at OAuth grants in isolation, without context on what information can actually be shared, is of limited value. SaaS security management requires a holistic approach, one that spans the SaaS supply chain, SaaS-to-SaaS integrations, and most importantly, every employee in your organization. The SaaS attack surface is dynamic and amorphous. Protecting it at scale takes collective action across the organization.