Salesforce is the leading CRM platform in the market and one of the most used SaaS applications in the market. As the Salesforce ecosystem continues to grow, more third-party vendors build innovative tools that unlock new business opportunities. Revenue, sales and marketing teams onboarding new vendors with third-party integrations authorized via OAuth tokens and AppExchange marketplace apps. These types of connections are powerful tools when trying to increase employee productivity, collaboration, and gathering insights from customers’ data.
Furthermore, Salesforce has an automation functionality, Salesforce Flow, that empowers Salesforce users to reduce manual work using Process Builder, and collect data from Salesforce and perform actions in either Salesforce or external systems using Flows. Additionally, Salesforce acquired Mulesoft (in May 2018), a platform aimed at supporting IT and business teams in the development of integrations, APIs, and automation. Since the acquisition, Mulesoft increased the integrations with Salesforce services in particular with respect to both the amount of available integrations and the depth of the integrations.
While Salesforce is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Salesforce customers at risk of data breaches and account exposure.
Supply chain access attacks against Salesforce are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.
In the modern era, where an organization is using multiple services from different third-party vendors, compromising sensitive information could be done via an indirect path, meaning that instead of targeting a certain victim for its own data, one can target a third-party vendor to leverage their access to gain access to its clients' systems and data. These attack vectors can target third-party access tokens like when attackers stole OAuth tokens of Salesforce-owned Heroku to gain unauthorized access to GitHub repositories. In other cases, attackers can target customer data that was gathered through third-party integrations like in the Apollo data breach. The attackers weren’t after Apollo’s data, but targeted Apollo’s customers’ data that was mostly gathered from Salesforce with Apollo-Salesforce integration. Moreover, since Apollo didn’t implement proper least privilege configurations (i.e., they gained higher access than needed) for the integration with Salesforce, many Apollo customers had more sensitive data from Salesforce in Apollo’s database than expected.
Valence seamlessly integrates with your Salesforce environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it: