Valence Threat Labs is a vendor-agnostic research team from Valence Security, working to uncover and present real, data-driven and actionable insights into emerging threats impacting enterprises on a global scale, with specific ramifications for their supply chains and SaaS security posture. Valence researchers engaged with cybersecurity-focused venture capital firm YL Ventures’ Venture Advisory Board to ask leading CISOs a variety of questions pertaining to the state of security for SaaS-to-SaaS third-party integrations in their organizations and their current best practices. Researchers then compared their responses to aggregated and anonymized cross-tenant data extracted from the Valence SaaS Mesh Security Platform. The end result is the 2022 Shadow SaaS-to-SaaS Integration Report.
SaaS-to-SaaS third-party integrations leave core business applications like Microsoft 365, Google Workspace and Salesforce and the business-critical data in them open to supply chain attacks. Both security practitioners and SaaS security vendors have lagged in their past efforts to address this threat vector. As a senior enterprise CISO notes in Valence’s report, “[With] our workforce changes (on and off boardings), contractors and cloud environment changes it is difficult to keep up with SaaS connections.”
The recent onslaught of cyber-attacks shows a distinct inclination by attackers to leverage this growing attack vector and abuse SaaS-to-SaaS integrations for an easy way into the organizational supply chain. During the GitHub attack campaign, for example, attackers were able to steal and abuse OAuth tokens issued to well-known vendors like Travis CI and Heroku. According to GitHub, the attackers were able to leverage the trust and high access granted to highly reputed vendors to steal data from dozens of GitHub customers and private repositories. With a considerable time gap between discovery, customer notification and remediation, many CISOs were left fretting that attackers may have been able to rapidly expand their reach and carry out broader attacks on their SaaS supply chains.
The silver lining to these malicious attacks is that a majority of CISOs are beginning to fully grasp this growing challenge and realize the need to effectively and comprehensively address both human and non-human entities in order to maintain a healthy SaaS security posture.
From a research perspective, Valence researchers sought to compare the data extracted from the Valence SaaS Mesh Security Platform with observations and insights from leading CISOs in global enterprises. “While Valence was born out of the growing need for adequate SaaS security solutions that provide both visibility and remediation (the report shows that 86% of CISOs are unhappy with their current solutions), we were still surprised by the vast differences between what CISOs believed to be true and what our data revealed,” said Yoni Shohet, CEO and co-founder of Valence Security.
This report uncovers an eye-opening gap and disconnect between CISO perceptions and security reality and should be used to inform the decision-making processes of enterprises as they scale their SaaS.
Here are the key takeaways from the survey and data:
- The average organization has 917 SaaS-to-SaaS third-party integrations – 4-5 times the amount estimated by survey respondents.
- 48% of SaaS integrations sit unused – typically due to not being properly offboarded after failed PoC.
- On average, users onboard 75 new third-party integrations every 30 days, 3-4 times the amount estimated by survey respondents.
- 53% of survey respondents don’t have a process to ensure proper correlation between TPRM and their integrations.
- 91% of respondents say that SaaS security is of medium or high importance.
- 86% of survey respondents are unhappy with their current SaaS mesh visibility and risk reduction solutions.