Valence Has Joined The Microsoft Intelligent Security Association (MISA)
Read More
Valence security- SaaS-to-SaaS-supply-chain-security-Salesforce

SaaS-to-SaaS Third-party Integrations in Salesforce

Salesforce is the leading CRM platform in the market and one of the most used SaaS applications in the market. As the Salesforce ecosystem continues to grow, more third-party vendors build innovative tools that unlock new business opportunities. Revenue, sales and marketing teams onboarding new vendors with third-party integrations authorized via OAuth tokens and AppExchange marketplace apps. These types of connections are powerful tools when trying to increase employee productivity, collaboration, and gathering insights from customers’ data.

Furthermore, Salesforce has an automation functionality, Salesforce Flow, that empowers Salesforce users to reduce manual work using Process Builder, and collect data from Salesforce and perform actions in either Salesforce or external systems using Flows. Additionally, Salesforce acquired Mulesoft (in May 2018), a platform aimed at supporting IT and business teams in the development of integrations, APIs, and automation. Since the acquisition, Mulesoft increased the integrations with Salesforce services in particular with respect to both the amount of available integrations and the depth of the integrations.

Securing Non-human Salesforce Third-party Integrations

While Salesforce security is inherently strong, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Salesforce customers at risk of data breaches and account exposure.

Supply chain access attacks against Salesforce are not properly covered by existing security approaches such as IdP (Identity Providers) and CASB (Cloud Access Security Broker) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.

Salesforce Supply Chain Risks

In the modern era, where an organization is using multiple services from different third-party vendors, compromising sensitive information could be done via an indirect path, meaning that instead of targeting a certain victim for its own data, one can target a third-party vendor to leverage their access to gain access to its clients' systems and data. These attack vectors can target third-party access tokens like when attackers stole OAuth tokens of Salesforce-owned Heroku to gain unauthorized access to GitHub repositories. In other cases, attackers can target customer data that was gathered through third-party integrations like in the Apollo data breach. The attackers weren’t after Apollo’s data, but targeted Apollo’s customers’ data that was mostly gathered from Salesforce with Apollo-Salesforce integration. Moreover, since Apollo didn’t implement proper least privilege configurations (i.e., they gained higher access than needed) for the integration with Salesforce, many Apollo customers had more sensitive data from Salesforce in Apollo’s database than expected.

How Can Valence Help with Salesforce Security?

Valence seamlessly integrates with your Salesforce environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it:

  • Discover all your third-party integrations that connect to Salesforce such as OAuth tokens and AppExchange marketplace apps
  • Analyze the scope of access and actual usage of SaaS-to-SaaS connections to remove over-privileged and inactive integrations
  • Uncover the third-party vendors that were granted access tokens to ensure alignment with vendor risk management and TPRM programs
  • Monitor API calls made by 3rd party apps to detect potential abuse, compromise or API takeover attacks against your critical data
  • Automate workflows to ensure effective remediation and communication with end users and business owners in the modern distributed IT environment

Request A Free Salesforce Security Assessment

By submitting, I acknowledge Valence Security's Terms of Use and Privacy Policy