There is a SaaS for everything. Each year, businesses rely more and more on software-as-a-service platforms for different tasks – from website analytics to accounting and from payroll management to email automation. According to Statista, an average organization had used only 8 SaaS platforms in 2015, but by 2022, that number had increased to 130.
It is hard to tell the exact number, though: as VentureBeat outlines in their article, IT leaders are often not even fully aware of the whole spectrum of SaaS platforms their employees use. The actual number is likely higher.
The growing popularity of SaaS platforms is not without reason. By leveraging these services, companies can concentrate on their core vision while utilizing various third-party SaaS solutions as components of their products. These platforms also offer ready-made solutions for ancillary business functions like marketing and support, among others.
Reliance on SaaS is unavoidable. But it introduces risks and security issues.
The SaaS Attack Surface
SaaS services typically require close integration with a company’s existing technology stack. This involves utilizing the APIs provided by these products and creating subdomains for specific functions like help centers, blogs, and more.
The bigger the organization, the more SaaS providers it likely relies upon and the more subdomains and APIs it generates to maintain these integrations. According to Attaxion, an external attack surface management vendor, large organizations typically have thousands of subdomains.
The problem is that a business is as protected from cyber threats as is the weakest SaaS provider they are using – the chain is as weak as its weakest link. Altogether, these subdomains, APIs, and vulnerabilities in third-party SaaS services constitute the so-called SaaS attack surface of the company.
As companies increasingly rely on SaaS platforms, their SaaS attack surface keeps expanding every year. According to Gartner, attack surface expansion was the number one business cybersecurity trend in 2023, and in 2024, the situation is not likely to change.
The Top Security Risks of Using Third-Party SaaS Providers
1. Data Leaks
B2B SaaS providers process customer data of hundreds and thousands of organizations. That makes them one of the favorite targets for malicious actors. As a result, these service providers are prone to data breaches.
Recent examples of major B2B SaaS providers that experienced data breaches, leaking tremendous amounts of data, include Twilio, a communication platform, and Okta, a single-sign-on provider. Both are widely used across many businesses and deeply embedded in their daily operations. Both companies process very sensitive data, so these data breaches affected Twilio’s and Okta’s clients quite severely.
In accordance with modern data protection legislation such as GDPR and CCPA, if a third-party service that a company uses is allowed to process its customers’ data, this company has certain responsibilities in case that third-party service experiences a data breach. As a result, Twilio’s and Okta’s data breaches resulted in problems for thousands of their clients, even if their operations were not directly affected.
These two breaches are far from the only ones. According to SCMagazine, data leaks are the most common security incidents in the SaaS field.
There is no way to completely rule out such incidents for an organization that relies on third-party providers. However, an organization can – and must – conduct due diligence before bringing a new SaaS provider on board.
It is important for an organization’s IT department to stay fully informed about the SaaS providers used by employees. This requires conducting regular audits, maintaining continuous monitoring, and implementing strict security policies to adopt new SaaS tools.
2. Supply Chain Attacks
If a third-party SaaS provider experiences a security breach, it sometimes allows the attackers to breach its clients as well, i.e., to conduct a supply chain attack. The possibility of this, of course, depends on how deeply the SaaS and their clients are integrated and the goals and capabilities of the attackers. But it is never zero, and it can lead to devastating results.
The most well-known recent example of a supply chain attack that included a major SaaS provider is the SolarWinds attack. NPR called it “A worst nightmare cyberattack.”
SolarWinds, an IT management platform, unknowingly distributed a compromised update to its customers. This malicious update enabled bad actors to also breach the networks of SolarWinds’ customers, resulting in a widespread attack that affected numerous companies.
In the aforementioned Gartner report, digital supply chain risks occupy position number three in the list of cybersecurity trends.
Prevention techniques against supply chain attacks include careful management of access rights that apps get, as well as testing all updates in isolated environments. Unfortunately, this does not guarantee 100% supply chain attack prevention, as there is no such thing as 100% security. Still, at least it lowers the chances of such an attack being successfully executed.
3. External Attack Surface Expansion
The risks linked with using SaaS services encompass an expanded external attack surface. This includes vulnerable subdomains, APIs, and ports used to integrate third-party SaaS tools into an organization’s IT infrastructure. Without proper monitoring and control, connected SaaS becomes a source of potential vulnerabilities that can result in subdomain takeovers and other attacks.
The issue becomes more critical, considering businesses often stop using certain SaaS providers but retain the accounts and associated records. This happens either because they plan to use the tool again or forget to properly deactivate and clean up these accounts. Abandoned subdomains or unused APIs are easier for attackers to exploit because they do not receive much attention, especially if they belong to shadow IT – assets the IT team is unaware of.
Let’s look at a few examples of external attack surface issues resulting from using external SaaS providers.
Penetration testers from Haqtify discovered vulnerabilities in Heroku, a cloud platform that allows users to build and operate web applications in the cloud. Heroku enables the connection of domains and subdomains to its virtual hosting service. Haqutify discovered that attackers could seize control of abandoned subdomains by creating an app with the same name as the expired subdomain. Once an attacker takes over a subdomain, they can use it for phishing or malvertising purposes. In some cases, getting control over one subdomain allows attackers to advance further into the company’s systems.
Another example happened with the social network X (previously known as Twitter), which had 5.4 million user records stolen and leaked online due to a vulnerability attackers found in one of its APIs. In contrast to the Heroku example, which was not part of a penetration test, this was a real attack with severe consequences.
There are many more potential ways third-party tools can contribute to an organization’s external attack surface expansion. Even using localization SaaS tools like Weglot creates numerous subdomains for different locales. If a locale is abandoned or someone decides to use a different subdomain for it, that may result in a dangling DNS record – which is the first and foremost prerequisite for conducting successful subdomain takeover attacks.
To prevent these types of incidents, Gartner recommends security leaders look beyond traditional approaches to security monitoring, detection and response to manage a wider set of risks.
To do that, organizations can use external attack surface management tools. Such tools rely on an outside-in approach, assuming the same position as potential attackers. They help organizations discover all assets associated with it, enumerate its subdomains, identify and manage vulnerable assets such as APIs or subdomains, as well as continuously monitor the external attack surface.
Conclusion
Third-party SaaS security issues pose a huge threat to all organizations, as each and every business relies on at least some SaaS platforms for its operations. The SaaS attack surface is hard to control, so it is important to both maintain a good inventory of the SaaS platforms an organization is using and enforce tight security rules when it comes to using third-party SaaS.
As the SaaS attack surface continues expanding, organizations – regardless of size or industry – should add tools such as external attack surface management to their information security stack. These tools will give them visibility and control over their external attack surface, helping defend against such attacks.
Follow me on LinkedIn. Check out my website.