This report covers key trends and challenges organizations face when trying to gain visibility and control over the growing and fast-changing world of SaaS-to-SaaS third-party integrations – known as the SaaS mesh. This mesh grows via API tokens, OAuth third-party apps, SaaS marketplaces, and no/low-code automated workflows that place sanctioned business-critical SaaS applications at risk of supply chain attacks. Statistics in this report include both results from a survey of top CISOs, collected anonymously by Valence Threat Labs researchers in conjunction with , and cross tenant metadata extracted from the that has been aggregated and anonymized to ensure customer privacy.
SaaS Mesh Risks
The democratization of IT has empowered business users across organizations to manage best of breed SaaS applications directly, without IT security review or governance. This has greatly reduced deployment time and enhanced business agility, productivity, and collaboration. However, the indiscriminate connection of SaaS applications also increases the risk of unvetted supply chain access to business-critical applications like Salesforce, Microsoft 365 and Google Workspace. These high-risk connections are typically driven by end users that are encouraged to consent to OAuth apps by SaaS vendors without understanding the security implications of their actions and how to revoke the access they granted. In addition, business owners often generate over-privileged API tokens that significantly increase the blast radius of any supply chain vendor breach. Lastly, citizen developers automate workflows by creating complex data flows that are hidden from security teams who lack visibility into no/low-code platforms.
The survey queried decision-makers with job titles relevant to cybersecurity such as CISOs, CIOs, and Directors/VPs of IT security distributed across organizations ranging in size from under 1000 employees to more than 20,000 employees. Respondents were recruited via email invitations containing an embedded link to the online survey. The email invitations were sent to a select group of YL Venture’s qualified database. Valence Security was responsible for all survey design, data collection, and data analysis. These procedures were carried out in strict accordance with standard market research practices and existing US privacy laws.