Recent high-profile SaaS supply chain breaches at Circle CI, Okta, and Slack reflect a growing trend in attackers targeting enterprise SaaS tools to infiltrate their customers’ environments. For security teams, this trend is harrowing.
And yet, the SaaS supply chain is just one part of the overall SaaS attack surface. Arguably, the SaaS attack surface extends to every SaaS application, account, user credential, OAuth grant, API, and SaaS supplier used in your organization—managed or unmanaged. Monitoring this attack surface can feel like a Sisyphean task, given that any user with a credit card, or even just a corporate email address, has the power to expand the organization’s attack surface in just a few clicks.
At Nudge Security, we are helping organizations continuously discover and govern hundreds of thousands of SaaS applications and accounts, giving us a unique perspective on the SaaS attack surface. Leaning into our threat research expertise at Nudge Security, we recently created a SaaS attack dashboard of SaaS exposures, high-value targets, and SaaS mesh and supply chain risks that represent areas of high priority for cybersecurity teams.
Nudge Security’s SaaS attack surface dataset
In addition to releasing new SaaS attack surface dashboard and OAuth risk scoring capabilities, we wanted to quantify and create benchmarks for the state of the SaaS attack surface. We recently analyzed data from our install base to illustrate the magnitude of this growing attack surface. Most of these data are presented as averages, but in some cases, we either removed extreme outliers or we took the median for a more meaningful view of the data, as noted.
While this is a non-exhaustive analysis, it does provide helpful insight, and a benchmark for the growing SaaS attack surface. Ultimately, your own SaaS footprint data is going to be the most interesting and relevant for you—luckily, you can discover and continuously monitor that footprint in just a few minutes with our free 14-day trial.
The first data we looked at were the assets that are public facing, or assets that could be discovered on the internet by an adversary and associated with a target organization, creating a risk exposure. On average, organizations had the following exposures:
→ 13 public-facing SaaS applications
→ 23 registered domains (outliers removed)
→ 122 social media accounts (outliers removed)
Next, we considered SaaS assets that are not necessarily public facing, but do handle corporate intellectual property and sensitive data. These include cloud infrastructure, SaaS applications that handle source code and artifacts, financial and HR SaaS applications, file-sharing services, and SaaS applications that contain customer data, such as CRMs. Nudge Security automatically categorizes SaaS applications and summarizes these highly targeted assets in a SaaS attack surface dashboard.
Our initial analysis showed that, when it comes to source code repositories and artifact hosting SaaS applications, organizations generally use around 3 different providers (median 3.5). These are hardly isolated environments, however, as organizations typically connect a myriad of other SaaS applications to these environments through OAuth grants, which we’ll look at next.
OAuth risk factors
Next, we looked at the risks organizations face with the modern complex mesh of SaaS applications, interconnected by OAuth permissions. To address the fundamental question of, “what other applications have access to my data,” it’s important to understand what OAuth grants and scopes exist between applications.
We found the following data on OAuth grants and risks:
→ On average, OAuth grants contain three different scopes.
→ 10% of OAuth grants are considered by Nudge Security to be high risk.
→ The following SaaS applications have the most OAuth grants:
- Google Workspace - 45 grants on average
- Microsoft 365 - 42 grants on average
- Slack - 20 grants on average
- Github - 10 grants on average
- Zoom - 6 grants on average
SaaS supply chain breaches
Finally, we found that organizations had an average of 6 data breaches within their SaaS supply chain in the past 12 months. 2022 was a year marked by SaaS supply chain attacks, including ones that affected Okta, Github, MailChimp and Digital Ocean, Signal (and Okta, again), and many others.
Threat actor groups like Lapsus$ have demonstrated the ability for attackers to move laterally across the SaaS supply chain toward high-value targets, a trend that’s likely to continue given the complexity (and traditionally low security visibility) of the SaaS supply chain.
When a data breach at a critical SaaS provider makes headlines, it often creates some frenzy for cybersecurity practitioners trying to assess whether or not anyone within their organization uses the service—or uses another service that may have been a victim of the initial data breach. Nudge Security not only discovers an organization's full SaaS supply chain, but we also send customers notifications whenever a third- or fourth-party SaaS supplier discloses a data breach, creating an early warning system that can help stem the further spread of a SaaS supply chain attack.
Join us for a live demonstration and Q&A with the Nudge Security founders each week on Thursday. Register here to join live or to catch the replay.
Did we mention that Nudge Security offers a full-featured, 14-day free trial? If you are interested in discovering your SaaS attack surface before your next meeting, get started here.