ARTICLES

Preventing API Misconfiguration for Brand Name SaaS Applications

When you think about the most common or most popular productivity tools used in enterprises today, which ones do you think of? Microsoft 365? Salesforce? Zoom? Box? There are others, to be sure, but these SaaS applications are household names; even your septuagenarian parent/grandparent might recognize a few. Zoom has become so familiar that people now refer to video conferencing as “Zooming,” even when the platform is GoToMeeting, Webex, Teams, or one of innumerable other non-Zoom options.

This goes to show that SaaS applications have become enterprise lifeblood. A large organization might use thousands (yes, really!) of apps at any time, but there are a few that dominate business environments. Sure, every business is different and has unique requirements and preferences for tools, but just like Walmart, Amazon, Costco, and Home Depot dominate the big box store market, name brand SaaS apps eat up market share. Who in the business world hasn’t heard of Microsoft or Salesforce?

By definition, the shared responsibility model dictates that the companies which build and sell SaaS services are responsible for securing every layer of and inside the software. However, the connections from the provider environment to the customer environment—the APIs, the means by which users and devices connect to the software—remain critical pathways that must be protected. SaaS configuration is another critical area. While SaaS providers do often offer pre-built, secure integrations, making it easy for even the least technical business to use, configuration remains the customer’s responsibility and still trips up many a business. Security practitioners have seen what happens when cloud buckets are misconfigured, but less attention had been paid publicly to the secure API and SaaS configurations. Yet, one misstep in your customer database—which includes contact names, email addresses, financial information, contract information, and other sensitive data—unintentionally exposed to the internet due to a configuration error can cause a lot of pain and suffering.

Lack of repeatable processes

While working as the Chief Trust Officer at Salesforce, Brendan O’Connor noticed that his skilled team of technical experts seemed to be reinventing the wheel on every integration. The uniqueness of each platform’s configuration was an obstacle, even for people with years of experience writing and deploying code. After moving on from Salesforce, he started looking at data access and trust models and began to understand that the problems weren't individual to his team; bugs were repeatedly introduced to deployment cycles because IT teams were being forced to integrate every tool they used separately and distinctly. And for bigger operations, this meant potentially thousands of instances where risk was introduced.

In May 2018 O’Connor decided to turn his practitioner perspective into a commercial tool that could help enterprises secure APIs and SaaS configurations using a standard process and alleviate risk from the configuration equation. Today, AppOmni (O’Connor is the CEO) focuses on securing connectors between the most critical business applications with the heaviest usage and IT administrators.

The problems AppOmni solve hinge on a few issues: 1. With the more popular apps, business managers, not IT operations or security staff, may configure SaaS deployments. The app providers make it easy enough for them to do so, but it adds risk. 2. The security of API and connector configurations might be reviewed upon deployment and once per year during an audit, but they likely are not part of routine, regular security testing—which is meant to help mitigate vulnerabilities such as misconfiguration. 3. Most IT/security organizations do not have a centralized view of all SaaS deployments and configurations; they rely on asset inventories and network monitoring to find connected SaaS and then evaluate each individually (if it happens at all), leading to additional effort and opportunity for error.

Scan and report

The way AppOmni works is by connecting via (a secure) API into the customer’s OAuth flow. Immediately upon deployment, the platform scans the environment for APIs and SaaS configurations and looks at the access rights of all identified apps and roles. Within 5-10 minutes, said O’Connor on a recent call, AppOmni can show the current running state in the customer’s application stacks along with all exposure, which apps are externally open, which are broadly sharing data, and which ones have full read-write access. Next, the collected data is put into the customer’s dashboard along with remediation instructions. “So many security tools are written for experts,” said O’Connor, “but for APIs on business applications, it’s unreasonable to think that security is going to step in every time. As a former practitioner with responsibility for these tools but not necessarily governance, we knew we needed to build something that was easy for non-experts.”

That said, App Omni can also log tickets, push alerts to Splunk, and generally act as any good security tool would—giving security teams the opportunity to jump in and help lines of business when necessary.

Remediate and reduce

The goal with AppOmni is finding APIs and sensitive data that are exposed to the internet and, if found, can be abused by attackers. Why not simply employ more traditional security, we asked? O’Connor’s response centered on prevention: If AppOmni can close the floodgates which let “bad” in, complementary security products can catch the rest.

The next question was about applicability; with the thousands of APIs managed by enterprises, how well can AppOmni cover all connectors? The answer is that AppOmni is “not trying to be all things to all people,” said O’Connor. The platform works for Box, Zoom, Teams, M365, Salesforce, and Work.com—the most prevalent business applications. While the best-case scenario is preventing all API and other misconfigurations, AppOmni Is choosing to go deep on a limited set of provider integration and make sure they do it well.

The message, then, is: If you’re an enterprise using all or some of these brand name business-critical apps, AppOmni can help put the guardrails on your SaaS environment, ensuring they’re configured—and remain configured—correctly throughout usage. As things change in your environment, the platform will keep a watchful eye to find exposed APIs, unusual behaviors, and show SaaS environments’ state of security reality. “We want to help the people operating these apps avoid making costly mistakes,” said O’Connor in closing. Though the SaaS security market is chock full of players, this is a new approach, built by practitioners, to ensure that the connectors to the dominant apps in your environment don’t become the instigators of a data breach.