As the adage goes, an organization is only as secure as its weakest link. With the growing emphasis on software integration, B2B SaaS companies are adding many links to their chains, creating new access points for attackers. The Crowdstrike tech outage demonstrates just how interdependent systems are, and the SolarWinds hack in 2020 highlighted the vulnerabilities in supply chain security and the potential consequences of large-scale cyberattacks.
Third-party attacks accounted for nearly 30% of all breaches in 2023, and 98% of organizations have business ties to a third-party vendor that has experienced a breach. Yet integrations are imperative to a successful technology platform as customers increasingly demand cohesive tech stacks. Developers must find a way to secure these integrations.
Common security pitfalls
Unfortunately, despite their best efforts, the growing integration ecosystem prevents organizations from achieving complete security. Several factors can introduce additional security vulnerabilities.
- Third-party vendor vetting: Failure to properly evaluate a vendor’s security posture creates significant gaps in protection.
- Misconfigurations: Integration builders can create complex integrations without fully understanding the implications for security and data integrity.
- APIs: Securing APIs is incredibly difficult due to their complex nature and extensive data exposure. While APIs are not currently hackers’ prime target, it’s likely only a matter of time before that changes.
- Developer awareness: Fast-paced developer workflows and rapidly changing technologies can contribute to a lack of security awareness from developers, resulting in inadvertent vulnerabilities.
Only connect with trusted sources
Vetting a third party before connecting is foundational to building secure integrations. Customers’ data must be exchanged exclusively through trusted and verified applications. Unsigned or unverified third-party apps anywhere in the ecosystem create risk.
SOC 2 reports should be a baseline requirement for vendors. Compliance with these rigorous security standards demonstrates a company’s ability to handle data securely and responsibly. Other frameworks, including ISO 27001 and the NIST (National Institute of Standards and Technology) Cybersecurity Framework, also provide security reassurance.
Beyond certification, evaluate the SaaS providers’ additional security efforts, such as audits and penetration tests.
Strategies for integration security
Organizations must set realistic goals. Achieving complete security is challenging, and substantial risk mitigation can be costly. First and foremost, dev teams should work to prevent inevitable attacks from turning into full-blown breaches. They can achieve this with layered security controls using the following practices.
- Use complex authentication: Setting up unique API keys with specific scopes for each company and user accessing the integration is an adequate safeguard, but OAuth 2.0 is more secure. This framework uses authentication tokens from an authorization server to grant limited access to specific resources. Each company and individual user should receive unique OAuth 2.0 credentials.
- Store credentials separately from source code and data: Code, data and credentials should never mix. There have been several instances of private API keys published in hard code, opening the integration up to serious risk. Managing the many credentials and API keys for multiple integrations requires dedicated vaults with proper access management.
- Validate all inputs: To ensure data integrity, establish a comprehensive validation process for all API interactions. This effort includes defining strict input requirements in the API documentation and implementing rigorous checks within the integration to enforce these rules.
- Implement the principle of least privilege: Every integration module should only have access to the information and resources necessary to run successfully. Restricting access protects sensitive information, decreases potential vulnerabilities and contains damage from compromised modules. Security leaders can turn this principle inward to address risks posed by low-code/no-code environments by limiting users’ ability to create, modify or delete integrations.
- Monitor and log system metadata: Observing system activity can flag potential attacks, and system logs pinpoint the source of the problem. However, the recorded data should only include metadata about integrations and their executions, not the user information passing through.
Implementing multiple security controls at various levels — data, application and user — creates a formidable defense strategy. These multi-layered approaches act as speed bumps, giving organizations time to detect and contain an attack. Dev teams should have a response plan in place, such as shutting down layers or systems to prohibit bad actors from accessing additional data or applications. Once the threat is neutralized, teams can eradicate the issue and install new protections.
Regular audits and education
Integration strategies and security threats evolve. A comprehensive audit approach combining automated tools, manual review and ongoing security testing is essential for maintaining the integrity and security of APIs and the development process.
Developer education is also imperative. Even experienced programmers may not always be aware of the latest ways attackers can manipulate systems. Training them to always follow secure design principles and creating awareness of new vulnerabilities allows them to be cognizant of best practices in their development.
Despite best efforts, organizations cannot entirely avoid risk exposure from third-party integrations. Prioritizing multi-layered security strategies, building containment and recovery strategies and continuous code and process evaluation gives an organization the best chance of protecting its software from a major breach. Building resilience into the development strategy will allow organizations to provide customers with convenience and security.
https://www.securitymagazine.com/articles/100958-the-integration-security-paradox-strategies-to-protect-data