The shift toward an increasingly digital workforce has led to a massive increase in software-as-a-service (SaaS) applications. These promise everything from simplified communications to improved efficiency, and users have literally thousands of options from reputable companies and private developers from which to choose. Yet many apps come with serious vulnerabilities, turning them from an asset into a liability. 

With varying access and threat levels, these apps can have a catastrophic impact on the security of supply chains. Case in point is the recent space of supply chain attacks on established software providers such as SolarWinds’ Orion Platform, Kaseya VSA, GitHub and Viasat KA-SAT. In April, 2022, GitHub identified an attack on two third-party vendors critical to its supply chain, Travis CI and Heroku. Despite acting quickly, the company acknowledged that this type of breach could have led to a more extensive supply chain attack and compromised mission-critical infrastructure.

Time is critical when dealing with SaaS attacks. The more information that’s compromised, the greater the potential for damage. Attacks are swift, taking advantage of the time gap to infiltrate systems before victims become aware and can take action. Though GitHub took the proper reactionary measures, the lack of an accurate inventory of third-party vendors’ access privileges cost it valuable response time.

Managing and reducing SaaS app risks is a time-consuming and complex process. Following are five proactive measures that companies can take to minimize the impact.

Understand the scope of access and permissions requests from SaaS apps. When a company’s IT team installs SaaS applications, they must be aware of every access token used, and which permissions are required. IT security teams need an accurate picture of their SaaS app inventory to verify credibility authorship and identify risks. Failure to do so can delay a company’s ability to find security compromises, address those weaknesses and prevent further damage.

Build a software bill of materials to manage risks. SBOMs, both "Deployed" and "Runtime," are vital tools for managing risk associated with SaaS applications. A Deployed SBOM identifies software that's active on a system and analyzes its execution behavior in a possible simulated development setting. Runtime SBOMs, sourced from the system operating the software, document current system components and any external interactions or dynamically loaded elements. These might also be termed "Instrumented" or "Dynamic" SBOMs.

Regardless of which SBOM you use, it should provide a comprehensive list of software details such as license type, patch status and component version. Software that’s outdated or poses high-security risks becomes much easier to observe and address.

Enforce least privilege when granting SaaS app permissions. Supply chain vendors, internal vendors and other entities should only be granted the minimum level of access needed to perform their duties. Limiting access prevents attackers from moving laterally through the organization and doing even more extensive damage. Enforcing least privilege provides a simplified way to manage potential SaaS risks across supply chain segments.

Continuously monitor cloud environments. SaaS defense requires continuous defense. Admins have a bevy of tools for ensuring the performance, security and availability of resources. One important option is monitoring services provided by cloud service providers. Real-time insights into performance and health metrics ensure early detection and faster response times. In addition, there are a host of third-party monitoring tools on the market that act as a second safety net.

Conduct an inventory of SaaS apps. At-home environments — the software and networks employed by remote workers — are riskier than private environments, thanks to non-existent or weak security policies. LastPass experienced this firsthand in December, 2022 when an engineer’s home computer was compromised. Threat actors were able to successfully run remote code execution capabilities and plant keylogger malware, allowing for capture of the engineer’s master password and access to the LastPass corporate vault. Following the initial attack, they could steal encrypted data and secure notes until they got to the company’s AWS S3 LastPass production backups, cloud-based storage, and mission-critical database backups.

Cybersecurity is essential for every aspect of business, including supply chains. IT teams need policies and procedures that identify access levels of their personnel and software, cloud and third-party monitoring, and an accurate inventory of SaaS apps. Revealing and mitigating supply chain security should be a top priority for organizations.

Alexander Adamov is chief security researcher for Spin.AI, and a professor at NURE and BTH universities.