Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
The Hidden Risks of SaaS Supply Chain Attacks and How to Stay Secure

The Hidden Risks of SaaS Supply Chain Attacks and How to Stay Secure

Kate Turchin
Updated
February 3, 2025
February 3, 2025
5 minutes

In lieu of a barrage of recent, major headliners, I wanted to call attention to a growing threat in cybersecurity: SaaS supply chain attacks.

SaaS supply chain attacks occur when a malicious actor compromises a third-party SaaS vendor and uses that as a launching pad to target the vendor’s customers. By exploiting the interconnected nature of SaaS ecosystems, attackers can scale their reach and impact more victims.

SaaS supply chain attacks are on the rise. The Verizon 2024 Data Breach Investigations Report found that software supply chain attacks have risen 68%. As more innovative SaaS tools are released and organizations become increasingly reliant on them, the risk of SaaS supply chain attacks increases. In this blog we’ll take a look at SaaS supply chain risks and how you can reduce your chances of a breach.

Notable SaaS Supply Chain Attack Examples

  1. SolarWinds (2020): Attackers infiltrated the SolarWinds software development environment and released a malicious update to 18,000 customers, including Fortune 500 companies and government agencies.
  2. CodeCov (2021): Attackers gained unauthorized access to CodeCov’s systems, modifying a bash uploader script that impacted its customers by leaking sensitive credentials and secrets.
  3. Okta (2023): Attackers gained unauthorized access by exploiting a compromised service account, allowing them to view files uploaded by certain Okta customers. The breach affected 134 customers.
  4. Cyberhaven (2024): After clicking a phishing email, a developer granted OAuth permissions to a malicious application. Cyberhaven customers that updated their browser extension downloaded a malicious version of the app which allowed attackers to steal data from over 400,000 users.
  5. U.S. Treasury Department (2024): Gaining access through a BeyondTrust SaaS API key that the vendor utilizes to provide technical support to the Treasury, Chinese state-backed threat actors were able to access sensitive data from workstations.
  6. DeepSeek AI (2025): A ClickHouse database was exposed which allowed full control over database operations, including the ability to access internal data, including chat history, secret keys, and other highly sensitive information. It’s unclear if the database was compromised, but it highlights a supply chain vulnerability in a popular AI platform.

Is Your SaaS Supply Chain Security at Risk?

Securing your SaaS supply chain is especially challenging. Why? Because you have no control over your vendor's security hygiene. While some vendors may be reputationally safer, there is no way to know for sure that your vendor won’t become compromised. The large majority of data breaches are caused by human error, so if one of your vendors has a security failure, this could impact your organization.

Here are some of the ways in which your SaaS supply chain may put your organization at risk:

  • Service Accounts: Service accounts are specialized non-human identities used by vendors to interact with other systems, such as databases, backup solutions, or monitoring tools. These accounts often have elevated privileges, which, if compromised, can lead to lateral movement within a network. 
  • Backdoor Admin Accounts: Some SaaS vendors maintain backdoor access to your tenant in order to provide technical support to customers, like in the case of SailPoint. But as we saw in the BeyondTrust breach, where a technical support API key was used to access the U.S. Treasury Department’s workstations, these accounts can create supply chain vulnerabilities in your network.
  • Shadow SaaS: The average organization has 126 shadow apps running in their environment. These apps often integrate with business critical apps, allowing them to read, write, and even modify sensitive information. If your employees are connecting with apps that are not reputationally safe, these apps could be compromised and used as a gateway into other apps and data.
  • API Keys: API keys are authentication tokens used to grant secure access to other apps, enabling seamless communication between different software systems. They allow applications to interact programmatically, exchanging data or triggering actions. However, their static nature makes them vulnerable to theft or misuse, highlighting the need for proper lifecycle management and rotation.
  • Malicious Code Injection: As we saw in the case of SolarWinds and Cyberhaven, supply chain attacks often involve an attacker injecting malicious code, or malware, into their target’s software. When clients download the update, the malware grants attackers access to those clients’ systems.
  • 4th Party Risks: It’s not just your third-parties that can put your data at risk. Your third-parties’ third-parties, known as fourth-parties, are also part of your software supply chain. In some instances, like we saw with Cyberhaven, attackers can compromise one company and then use that environment to escalate privileges and compromise other companies across the supply chain.
  • AI Platform Vulnerabilities: GenAI platforms may ingest sensitive business data. Once the data goes in this cannot be undone. If the AI app infrastructure is compromised, like in the case of DeepSeek, your data could be exposed to the wrong hands.

Risks of SaaS Supply Chain Attacks

If your SaaS supply chain becomes compromised, you could expose vast amounts of sensitive data to the dark web. Many supply chain attacks involve malware that can monitor user behavior across websites and apps, intercept credentials and cookies, and steal data. Threat actors can use this info to impersonate legitimate actors, modify privileges and passwords, and break into more accounts across your supply chain. This can lead to lateral movement within an organization’s network. Supply chain attacks can also cripple SaaS services, resulting in downtime and disrupted operations for businesses that rely on them. 

Best Practices for Mitigating SaaS Supply Chain Risks

Securing your SaaS supply chain requires monitoring and managing the full lifecycle of SaaS. As business units rapidly deploy new SaaS products, it's important that they partner with Security to ensure apps are properly vetted, configured, and monitored.

1. Rigorously Vet Potential Vendors

Every SaaS solution you bring on will introduce a different level of risk, depending on how it interacts with data, users, and systems. For example, SaaS apps that connect with critical infrastructure, like email clients or HR systems, should be scrutinized rigorously. Apps with a lot of Executive users are also important. Executives typically access a lot of business critical information and are prime targets for attackers. Additionally, pay attention to core business apps like website hosting tools. Although they may not contain sensitive data, downtime would have significant financial repercussions on the business.

A third party risk management (TPRM) program can help you manage and minimize risk associated with SaaS apps. TPRM is the process of evaluating risks associated with third and fourth parties which  include SaaS vendors, suppliers, and other service providers. By taking a programmatic approach, you can assess vendors quickly and efficiently.

2. Continuously Discover New Apps

The self-service nature of SaaS has led to an explosion of shadow SaaS across organizations. Shadow SaaS refers to the unmonitored use of SaaS apps across organizations. These apps create significant security vulnerabilities because they have not been vetted properly. They may use high-risk authentication tokens or operate with overly permissive settings. To mitigate this risk, use a tool that can continuously discover new SaaS apps in real time so you can manage risks around unapproved apps.

→ Read Next: How Reco Discovers Shadow SaaS and Shadow AI

3. Monitor SaaS-to-SaaS Integrations

Employees can connect SaaS applications to business critical apps, like Gmail or Salesforce, with the click of a button. These integrations make SaaS tools more useful, but they increase the attack surface by creating more potential points of failure across the software supply chain. To mitigate this risk, you need a tool that can continuously discover new apps, such as shadow apps and shadow AI, and map their integrations. Keep inventory of all connected applications, and what privileges they have, across your SaaS supply chain.

4. Implement Least Privilege Access Controls

Limit the access rights of SaaS applications and their integrations to only what is necessary for functionality. Use SaaS Security Posture Management (SSPM) to gain visibility into your SaaS ecosystem and regularly review and update access permissions. Using SSPM, you can answer questions like:

  • What apps are no longer being used that need to be disconnected? 
  • What apps have more permissions than are necessary?
  • What apps are particularly risky that need to be replaced with safer apps?

5. Automate Threat Detection and Response

Attackers often use valid credentials to breach SaaS apps or poison victims via approved applications, making them difficult to detect. The only way to stop a live supply chain attack is to flag the malicious behavior in real time. Use a tool that can monitor behavioral heuristics in order to detect unusual activity that could signal malicious intent.

→ Read Next: How Reco Uses Advanced Analytics to Detect Sophisticated SaaS Threats

Secure Your SaaS Supply Chain with Reco

SaaS ecosystems are constantly changing, making it difficult for security teams to keep up. Reco provides dynamic SaaS security. Reco can help you secure your SaaS supply chain by keeping up with the rate of SaaS change. Reco provides:

  • App Discovery: Gain real-time visibility into all SaaS apps, including shadow SaaS and shadow AI so you know what's connected to your environment.
  • SaaS-to-SaaS monitoring: Proactively identify SaaS apps with overly permissive settings and gain visibility into app-to-app connections to prevent or reduce the impact of supply chain attacks.
  • Risk Assessment: Reco provides a vendor risk score for every app based on how risky these apps are reputationally. By ranking each app A through F, you can quickly identify apps that need to be unsanctioned and offer safer solutions to your employees.
  • SSPM: Continuously audit and enforce least privilege access controls to ensure that no third-party integrations have excessive permissions that could be exploited. Identify and retire high-risk authentication tokens.
  • Identity Threat Detection and Response (ITDR): Get instant alerts on unusual behavior that could signify malicious intent, such as unusual privilege escalation, excessive data exfiltration, or impossible travel. 
Figure 1: Reco Alerts on Suspicious Activity in Okta

SaaS supply chain attacks may feel particularly terrifying for Security because they are so out of our control. But with the right tools and processes in place, you can reduce your risk, limit potential impacts, and stop live attacks before its too late.

Reco can help you secure your SaaS ecosystem with dynamic SaaS security. Learn more, download the Free Guide or schedule a demo today.

ABOUT THE AUTHOR

Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Technical Review by:
Gal Nakash
Technical Review by:
Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Request a Demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

Cyber Attack
4 minutes

Are Your Employees Using DeepSeek? Top Shadow AI Security Concerns

Merritt Baer
January 29, 2025
DeepSeek has quickly upended the AI market. But is it safe to use? Short answer: probably not. Read this blog to understand the biggest DeepSeek security risks for organizations.
SaaS Security
7 minutes

Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Kate Turchin
January 17, 2025
Deep dive into Reco's shadow app discovery technology, covered by The Hacker News. Reco uses AI-based graph technology and email filtering to discover shadow apps and shadow AI. Learn what Reco can do – and what Reco cannot do – for shadow IT security at organizations.
SaaS Security
5 minutes

Wellstar Health Uses Reco to Manage Shadow IT and Secure PHI in SaaS

Mike D'Arezzo
January 7, 2025
Mike D'Arezzo, Executive Director of Security and GRC at Wellstar Health, turned to Reco to help him manage shadow IT and secure SaaS deployments at the organization. Learn how Reco empowers him to effectively secure PHI in SaaS apps.
See more articles from our blog