OAuth SaaS Applications: Discover. Correlate. Remediate. Repeat.

Just as with the majority of Software as a Service (SaaS) applications, the OAuth protocol is designed to provide convenience, streamline processes and ultimately deliver a positive end user experience. Like many tools or technologies that are adopted to make the business become more agile, there are always security implications that need to be closely considered. There is now an undeniable trend of supply chain-based attacks whereby 3rd party applications play a critical step in the attack chain (i.e. GitHub, Google App Scripts, Solarigate, and many others) – and OAuth is the impetus behind it all.

The image below highlights a standard workflow in an OAuth transaction, which involves the interaction between both human (end user) and machine (application) identities. Over HTTP, access tokens are issued to 3rd party applications by an authorization service with approval from the owner. The risk that becomes introduced involves the non-human access part of this workflow. Credential-based authentication and authorization for human identities is woefully inadequate to secure critical data and infrastructure. The same issue can be said for machine identities if proper controls are not in place. Automated processes that involve software bots (i.e. Robotic Process Automation (RPA) or service accounts oftentimes go unmonitored, unmanaged, and the credentials are left exposed creating a soft spot to be exploited. Malicious actors have recognized this vulnerability, making non-human identities a common threat vector in today’s landscape.

In the recent GitHub attack, OAuth user tokens – which were issued to two third-party OAuth integrators were compromised and used to download data from dozens of their customers. This allowed unauthorized access to customer repos, and as most of the actions performed were read operations, making it extremely difficult to identify and track the attacker. The problem here – which goes for most all supply chain-based attacks – is the fact that these 3rd party applications are trusted. So once the trust becomes compromised its game over. The trend for supply chain-based attacks is becoming more and more popular with attackers – and for good reason. Compromise one entity, and you establish a foothold into a large number of other victim organizations.   

Comprehensive Visibility and Remediation 

To help modern businesses address this problem, we are thrilled to provide comprehensive visibility into all OAuth SaaS applications, and remediation across every user – both human and machine within the DoControl platform. These new product capabilities will allow security teams to address additional use cases through the DoControl Security Workflows Engine. In Microsoft instances, teams can implement on-demand remediation workflows in near real-time when a user provides consent to an application. In GitHub, when an OAuth application is installed, a workflow can be triggered to suspend or delete potentially malicious applications – this would’ve aided in preventing the GitHub breach. In GDrive, workflows can be created to enforce consistent security controls when synchronization with another content collaboration application such as Box. 

‍

‍

The DoControl platform now extends its inventory and asset management capabilities to go beyond the SaaS applications, events and activities that the platform is already subscribed to. With DoControl's shadow apps governance solution you can now expose all sanctioned and unsanctioned OAuth applications, which users have installed them, the drive-wide permissions, and more (see the video above). This visibility helps streamline incident response efforts and provides security teams with the self-service and automated remediation they require to maintain a strong security posture within the SaaS estate. Modern businesses pursuing a cloud-first strategy will benefit from:

• Discovery: Identifying every OAuth application is the first step in preventing 3rd party apps from compromising trust,  and potentially exfiltrating/altering sensitive company data; 
• Event correlation: Providing the business context required for security teams to fully understand what is taking place within the entire SaaS environment so they can take appropriate action; 
• Automated remediation: Creating Security Workflows to automatically reduce risk exposure as it relates to 3rd party applications (i.e. automatically suspend or remove potential malicious applications).

Attend our upcoming webinar where our Product Management team will go through these new capabilities in detail, and provide a solution demonstration to highlight practical use cases that your business can benefit from on Day 1. Register here.

‍