Earlier this year, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021. Not only are these attacks increasing, but the level at which they are penetrating systems and the techniques attackers are using are also new. Attackers are now taking advantage of access granted to third-party cloud services as a backdoor into companies’ most sensitive core systems, as seen in recent high-profile attacks on Mailchimp, GitHub, and Microsoft. A new generation of supply chain attacks is emerging.
Rise of App-to-App Integrations
As the vast majority of the workforce has gone digital, organizations’ core systems have been moving to the cloud. This accelerated cloud adoption has exponentially increased the use of third-party applications and the connections between systems and services, unleashing an entirely new cybersecurity challenge.
There are three main factors that lead to the rise in app-to-app connectivity:
- Product-led growth (PLG): In an era of PLG and bottom-up software adoption, with software-as-a-service (SaaS) leaders like Okta and Slack
- DevOps: Dev teams are freely generating and embedding API keys in
- Hyperautomation: The rise of hyperautomation and low code/no code platforms means “citizen developers” can integrate and automate processes with the flip of a switch.
The vast scope of integrations are now easily accessible to any kind of team, which means time saved and increased productivity. But while this makes an organization’s job easier, it blurs visibility into potentially vulnerable app connections, making it extremely difficult for organizational IT and security leaders to have insight into all of the integrations deployed in their environment, which expands the organization’s digital supply chain.
There is some acknowledgement of this problem: the National Institute of Standards and Technology (NIST) recently updated its guidelines for cybersecurity supply chain risk management. These new directives consider that as enterprises adopt more and more software to help run their business, they increasingly integrate third-party code into their software products to boost efficiency and productivity. While this is great recognition, there is another whole ecosystem of supply chain dependencies related to the mass amount of integrations of core systems with third-party applications that is being overlooked.
For companies whose internal processes are irreversibly hyperconnected, all it takes is an attacker spotting the weakest link within connected apps or services to compromise the entire system.
Businesses have to determine how best to manage this kind of scenario. What level of data are these apps gaining access to? What kind of permissions will this app have? Is the app being used, and what is the activity like?
Understanding the layers in which these integrations operate can help security teams pinpoint their potential attack areas. Some forward-looking chief information security officers (CISOs) are aware of the problem but only seeing a fraction of the challenge. In the era of product-led growth and bottom-up software adoption, it’s difficult to have visibility into all the integrations between an organization’s cloud applications, as the average enterprise uses 1,400 cloud services.
Closing the Security Gap
The risks of digital supply chain attacks are no longer confined to core business applications or engineering platforms — these vulnerabilities have now expanded with the proliferating web of interconnected third-party applications, integrations, and services. Only new governance and security strategies will close this expanding security gap.
There needs to be a paradigm shift within the market to protect this sprawling attack surface. In doing so, the following would need to be addressed:
- Visibility into all app-to-app connections:Security teams need a clear line of sight not only into systems that connect to sensitive assets, but into
- Threat detection:The nature of every integration — not just the standalone applications — need to be evaluated for risk level and exposure (e.g., redundant access, excessive permissions).
- Remediation strategies: Threat prevention strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface.
- Automatic, zero-trust enforcement:Security teams must be able to set and enforce policy guardrails around app-layer access (e.g., permission levels, authentication protocols).
The good news is that we are starting to see a shift in the industry’s mindset. Some businesses are already taking the initiative and putting processes in place to stay ahead of a potential service supply chain attack — like HubSpot, which just released a message to help eliminate potential risks associated with the use of API keys. GitHub also recently introduced a fine-grained personal access token that offers enhanced security to developers and organization owners to reduce the risk to data of compromised tokens.
Ultimately, the digital world in which we live is only going to become more hyperconnected. In parallel, the industry needs to further its understanding and knowledge of these potential threats within the supply chain, before they cascade into more headline-making attacks.