The Top 5 Third-Party Integration Risks
Businesses are embracing Software-as-a-Service (SaaS) applications with growing enthusiasm. The market for SaaS software has doubled over the last five years, from $85 billion in 2018 to $171 billion in 2022. Ninety-nine percent of companies use at last one SaaS application, though the average business uses 110, up 38% from an average of 80 apps the previous year. It’s easy to understand why SaaS is so popular.
It’s easy to understand why SaaS is so popular. The technology frees customers from many of the total cost of ownership of provisioning and supporting software and infrastructure. At the same time, SaaS also exposes its customers to new types of risk, especially from third-party integrations using SaaS plugins.
SaaS Plugins: What They Are and How They Work
A SaaS app typically works through a web browser. There is no software client required, and the data and application functionality occur in the cloud. Most SaaS apps allow third-party vendors to build plugins that provide additional capabilities to the SaaS.
For example, a customer relationship management (CRM) SaaS app might allow plugins from productivity suites like Microsoft 365 or Google Workspace. In these SaaS-to-SaaS integrations, data from the CRM can flow directly into the productivity suite, e.g., automatically updating an email address in the CRM from the latest data in the productivity suite.
For the plugin to work, the SaaS user has to grant permissions to the third-party plugin. The plugin acts on behalf of the user within the SaaS app, a capability made possible through the use of authentication tokens.
This has ramifications for security. The third-party plugin, built by a developer who has nothing to do with the CRM app, can gain access to its data and operate on behalf of the user.
Why SaaS Plugins Can Be a Source of Risk
SaaS plugins expose their users to cyber risk. There are a number of reasons for this, but the foundational problem has to do with how SaaS plugins act on the user’s behalf. The SaaS app sees the plugin as the user.
Permissions and configurations are another source of security trouble with SaaS plugins. A plugin can require the user to agree to a wide scope of permissions that are not really needed for the plugin to do its job. This can be for reasons ranging from developer laziness to malicious activity.
For instance, a customer service representative might have access privileges that allow him or her to see customers’ tickets, financial transactions, customers’ credit histories and the like. There presentative can have a pre-installed SaaS plugin, installed by the admin, for sending email notifications whenever new tickets are opened. Yet, the plugin asks for far broader data access than just the tickets status. This is almost always not a deliberate choice, but rather an administrative oversight. Given that the average organization has 110 SaaS apps running, it’s not hard to see how admins could make this kind of mistake.
Going further, if SaaS users are allowed to install plugins on their own, and/or grant access to any plugin they want, they may install malicious plugins or legitimate ones that have no business need for the company. This is a security policy issue, but one with potentially serious repercussions.
It may be a surprise to some that a SaaS plugin can be malicious. Aren’t they “official” plugins if they are available at the SaaS app’s store? One might be surprised at the vulnerabilities embedded in plugins that are available for easy download and installation. In fact, not all app stores properly scrutinize the plugins uploaded to them. It could be a simple case of abandonment. If the plugin-vendor no longer supports the plugin and updates it with security patches, the plugin will soon become a source of risk. Or, some untrustworthy party buys a once-legitimate plugin and modifies it, perhaps maliciously, and the end-client has no knowledge of the change.
The Top 5 Risks From SaaS Plugins
With these factors in mind, consider the potential impacts that a malicious plugin could have on a business. Here are the top five risks:
1. User impersonation — If an attacker can convince a user to install a malicious plugin to its SaaS, they can than act within the SaaS as the user itself. He or she can impersonate that user and interact with other employees or even customers, while impersonating the user. They may view sensitive data, perhaps taking advantage of overly generous permissions in the process, and manipulate data, delete it, or steal it.
2. Data breach — A SaaS plugin can form the attack path for a data breach. With access to the SaaS via the plugin, the attacker controlling it can exfiltrate data through it.
3. Business disruption — If a SaaS plugin is vulnerable to a take over, it can be commandeered by hackers and made into a vehicle for accessing the SaaS data. This can be disruptive to the SaaS customer, potentially even threatening to shut down their operations until the attack can be mitigated.
4. Abuse of resources — SaaS applications are not cheap, so an attacker might want to take advantage of free, improper access to perform tasks like data analytics or file storage on the SaaS customer’s account.
5. Compliance Risk — A data breach can lead to compliance penalties if, for example, it results in violations of privacy laws. A compliance audit that reveals deficient controls over SaaS access can also trigger problems for companies that need to comply with frameworks like NIST CSF, SOC 2 and so forth.
Addressing Third-Party Integration Risk From SaaS Plugins
It is possible to reduce third-party integration risk from SaaS plugins. Suridata, for example, provides deep visibility into SaaS application risk, including automated monitoring of SaaS plugin permissions. The solution can identify third-party integration risks and automatically remediate them with workflows that orchestrate the complex steps required to make SaaS plugins safe.
SaaS apps, which are becoming increasingly popular due to their favorable IT economics and ability to speed up adoption of useful software, expose companies and users to cyber risks. SaaS plugins, in particular, create third-party integration risks. Attackers can exploit excessive permissions and malicious or out-of-date plugins to impersonate users and perpetrate data breaches, among other negative security impacts. Solutions are available however, that can automatically scan SaaS plugins for security weaknesses and then provided automated remediation.