The biggest blind spot: When companies delegate access to third parties via OAuth integrations, it creates a systemic security blind spot that spans all industries.By stealing those tokens, attackers can gain access to all connected systems. “Authorizing a malicious connected app bypasses many traditional defenses such as MFA, password resets and login monitoring, and because OAuth tokens are issued by Salesforce itself, activity coming from the malicious app can look like it’s from a trusted integration,” the FBI warned in an alert released in September.The exploitation of such weaknesses is only going to get worse, especially as AI-related integrations increasingly become the norm.Whereas a traditional CRM integration might need contact data, “an AI sales assistant typically requires contacts, email histories, calendar information, deal pipeline data, conversation logs, and product catalogs,” noted Trend Micro AI security expert Fernando Tucci in a report on why the breach of Salesloft Drift, an AI chatbot, hits differently. “This broader access pattern means a single compromised AI integration can expose significantly more sensitive information than traditional point solutions.”Worse, because AI chatbots are specifically designed to access large data sets, when a malicious actor piggybacks on the same connection to steal data, the traffic pattern can look legitimate.Understanding all these partnerships and connections requires close coordination with vendor management, says Steve Winterfeld, advisory CISO at Akamai. “Plus, understanding where your data is takes both culture-driven policies and technical controls,” he says.With white-labeled services, APIs, and now LLMs, these two goals are much more complex. “If you haven’t conducted a supply chain breach exercise yet, now is the time,” Winterfeld says. “These recent events underscore the importance of validating your program.”Ironically, many security firms were among the victims, including Zscaler, Cloudflare, Palo Alto Networks, Pager Duty, SpyCloud, Tenable, Proofpoint, Rubrik, BeyondTrust, Bugcrowd, JFrog, CyberArk, and Black Duck.
One company who didn’t fall victim: One company that wasn’t scathed by the breaches was cloud-based IAM vendor Okta. Why? It allowed connections only from authorized IP addresses.According to Okta, when the company learned of the compromise, it immediately reviewed its logs and found attempts to access resources with stolen tokens, but those attempts failed.”The single most important control that prevented this breach was our enforcement of inbound IP restrictions,” the company said. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address. This security layer proved essential, blocking the unauthorized attempt at the front door before any access could be gained.”This whitelisting approach to security is a powerful tactic, but it’s difficult to implement because it requires a great deal of discipline.Another challenge is that not all SaaS vendors support this capability. “Many providers in the cloud-first world do not offer this foundational security feature, creating a significant challenge for protecting interconnected systems,” Okta said.Foundational security benchmarks for SaaS providers are only now coming together, following the Cloud Security Alliance’s recently launched SaaS Security Capability Framework (SSCF).Okta noted that Salesforce already offers this functionality, but added that using it requires “significant effort,” given that restrictions have to be configured for APIs and users.Another way to protect connections is to limit them to a specific client, using demonstrating proof of possession (DPoP), which prevents the reuse of stolen tokens, but this is even more difficult in practice because it requires changes to the authentication flow and adds new requirements for clients and servers. Another option is mutual TLS, which offers even stronger security, but at an even higher cost of complexity.In the financial sector, for example, some regulators mandate DPoP or mTLS; while it isn’t mandated in healthcare, there’s a use case there as well, according to Tyk Technologies.More companies should be looking at upgrading this as their use of interconnected SaaS apps and AI tools increases.The Internet Engineering Task Force included both DPoP and mTLS among its best practices for OAuth security.
Compounding risk going forward: When companies allow connections to systems outside their perimeter, they need to understand the risks they are assuming and the security controls available to them, Constellation’s Mehta says.Even a control as straightforward and common as multi-factor authentication can be difficult to implement for all employees, he says.”From a solution provider perspective, they provide a specific set of security controls and features and it’s up to the customers to make sure they actually use them. In my view, it is a shared responsibility,” Mehta says.Shared responsibility for security was an important part of the message of last week’s Dreamforce, but discussion of the Salesloft incident was conspicuously missing, a loss for attendees.Because if anything can be taken away from the past few months of Salesforce-related cybersecurity, it’s that software supply-chain security is more important than ever. And it will only increase in importance as more systems get connected, a key tenet of Salesforce’s aim to power the agentic enterprise.Software supply-chain security is already not so easy to achieve, and, even as Salesforce promises to make this easier with the help of AI, it is AI itself that will make the problem that much harder to solve.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4076024/dreamforce-finds-salesforce-weathering-a-security-storm.html
