MailChimp, a leading email marketing firm, recently discovered that hackers had gained access to internal customer support and account management tools, which could be used to launch phishing attacks to steal customer data. Buried by the headline, however, was this even bigger eye-opener:
“In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.”
In today’s API economy, API keys and OAuth tokens truly hold the keys to the kingdom, enabling bad actors to not only launch phishing attacks but conduct potentially broader and more destructive supply chain attacks that can lead to massive data theft. In fact, the vast majority of recent high profile attacks like the Mimecast breach that resulted from the SolarWinds breach, and the recent LAPSUS$ attack against Okta, have a significant supply chain attack component. In each case, hackers targeted supply chain access and third-party vendors since they are trusted with high privilege access, yet often don't apply sufficient security controls.
The reality is few SaaS customers actually do a full audit of their third-party vendors, applications, and their integrations, leaving applications with inherent vulnerabilities, misconfigurations, and over-privileged integrations unseen and unmanaged. Worse yet, over time privileges drift, integrations go unused, and configurations can change, necessitating continuous monitoring – something overburdened IT security departments can’t effectively do manually.
Valence is the first SaaS security company to address the security challenges posed to an organization’s SaaS-to-SaaS supply chains by unmanaged third-party integrations, including direct APIs, OAuth apps in SaaS marketplaces, and no/low code citizen development platforms such as Zapier, Workato, and Mulesoft.