It’s no secret that 3rd party apps can boost productivity, enable remote and hybrid work and are overall, essential in building and scaling a company’s work processes.
An innocuous process much like clicking on an attachment was in the earlier days of email, people don’t think twice when connecting an app they need with their Google workspace or M365 environment, etc. Simple actions that users take, from creating an email to updating a contact in the CRM, can result in several other automatic actions and notifications in the connected platforms.
As seen in the image below, the OAuth mechanism makes it incredibly easy to interconnect apps and many don’t consider what the possible ramifications could be. When these apps and other add-ons for SaaS platforms ask for permissions’ access, they are usually granted without a second thought, presenting more opportunities for bad actors to gain access to a company’s data. This puts companies at risk for supply chain access attacks, API takeovers and malicious third party apps.
|Oauth mechanism permission request|
When it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.
images from Hacker News