Credential management of the OAuth tokens was a big driver in this attack, and it’s coincidentally a part of the security recommendations from both GitHub and Heroku, said Corey O’Connor, director of products at DoControl. O’Connor said in regard to the supply chain attack itself, beyond credential management, it would help to have better visibility across OAuth applications to understand which applications are installed including all sanctioned and unsanctioned apps.
“Event correlation, and extracting the business-context of all activity helps determine what is normal versus what presents risk,” O’Connor said. “Security teams also need to leverage that context and implement automated remediation to help aid in the prevention of unauthorized access to critical systems and applications.”