Are API partners the weakest link?

In the cyber security world there is a concept known as a supply chain attack. Essentially, what this means is that rather than attacking home base head-on, you infiltrate it by identifying weak partners or supply routes and compromising them instead.

This concept can also be applied to hacking SaaS or cloud based applications and services. In this case a large SaaS vendor could be difficult to compromise head-on due to a heavy focus on security, so instead a hacker would look for the weak points.

The weakest link will almost always be the users of the software. But what if the SaaS vendor has systems in place to detect if a user account has been breached? In that case a hacker would move further down the chain and start looking for other ways to get to their data. Enter the partner or supplier channel. If a hacker can compromise a user’s account on a partner app, they can then gain access to that customer’s data in the core application.

Findings from the recent PwC Global State of Information Security Survey 2017 reveal that there has been an 11% increase in security incidents originating from suppliers, business partners, and resellers and that they now account for 21% of reported attacks.”

So let’s talk about how your API Partners could leave you exposed to risk and also address how this problem can be solved so that everyone is more secure.

API partners

Most cloud based applications and services have APIs which enable customers and partners to create tighter integrations between the various tools and systems that they use. While the APIs might be very secure, often the smaller partners or consumers of these APIs are not, which opens up the door for attackers.

An example

For example, let’s put ourselves in the hacker’s shoes and consider how we could gain access to sensitive financial data in a cloud based accounting system. We can presume that most online financial applications have a strong security focus with monitoring at all levels, including breach detection and notifications when a user account has been compromised. This all makes attacking the application head-on a difficult proposition. So let’s take a look at their “supply chain”.

In this example, the accounting application has hundreds of add-on partners who are typically smaller SaaS software companies, that have connected via API, to provide value added services like enhanced reporting, expense claim management, or payroll.

Most of these partners will have full access to read and possibility manipulate their customers’ financial data in the original application. Given the partners are often smaller companies, they don’t have the luxury of a dedicated security team or the same level of monitoring systems in place to secure their own products. What this means is that if a hacker can compromise the user account of a partner, they can in turn gain access to that customer’s data in the core application.

For large SaaS vendors this presents a real problem – as is highlighted in the new PwC survey – that is really hard to solve. They want to enable access to data and grow the ecosystem of connected applications, but in doing so they also delegate security to smaller, less capable partners.

So what can be done?

The first step is for organizations to require partners to pass a security review as part of their “go live” process. This review should include how the partner detects and responds to security incidents, like breached user accounts.

Given that 63% of confirmed data breaches involve leveraging weak, default or stolen passwords, otherwise known as compromising a user account, it’s critical that API partners do more to protect their own users and the supply chain up to the main data source that their business relies on.

Unfortunately without a dedicated security team or the extra resources small businesses cannot create complex breach detection systems. They all have a to-do list a mile long and let’s face it, they probably should be focusing on their core competencies and closing more deals than building custom security software.

Summary

Attacking the supply chain of SaaS companies means going after the partner apps that are connected to the mothership via API. They often have less security measures in place and will be less likely to notice if a user account has been breached.

As an attacker these partners are an obvious weak point that can be exploited.

As an API partner there needs to be a clear understanding that a security incident on your watch could lead to an integral partnership being severed, which could result in the end of business for you.

As a large SaaS vendor or API provider there is an awareness of a weak point in the supply chain but a challenge on how to enforce greater security with partners.

In my (extremely biased) view a great solution is for larger SaaS vendors to mandate basic security hygiene like breach detection as part of the partner approval process. For the partners there are new services on the market for adding application level security and monitoring.

And remember – if you’re thinking of building your own security in to your product, think again. Cyber security is a moving target that requires a dedicated team and continuous updates, and you’ll soon lose focus on your core business.