Ever since the SolarWinds incident in late 2020, the scope of catastrophe that the wrong third-party security breach can cause should be abundantly clear. Yet not nearly enough has been done since, with these types of incidents continuing to repeat. JPMorgan Chase CISO Pat Opet has had enough, warning that third-party security issues in SaaS models must immediately be addressed or some sort of global financial catastrophe is inevitable.
This comes as the security industry is rallying around assorted “magic bullet” AI solutions that promise to solve assorted intractable manpower and technical issues. Opet warns that only better security-by-design and formal legal commitment by vendors of SaaS models will correct the course, however.
SaaS model security remains opaque, inadequate
Opet mentions OAuth by name in the letter, the widely-used third-party security service that makes logins across different systems convenient. It’s also had a number of security incidents in recent years, providing another warning about what is possible if a malicious or reckless enough threat actor penetrates far enough into the wrong SaaS model.
Much of the industry seems to think waiting for AI to solve third-party security problems is an acceptable strategy. However, the full set of “magic bullets” is not going to be available in the near term, and the threat of a widespread global finance strike is already here today. In fact, the only reason a similar catastrophe hasn’t already occurred with some of these prior incidents involving SaaS models is that the attackers opted for stealth in the interests of plundering a relative few specific high-value targets rather than just bombing out everyone downstream of the breach.
Third-party security has fallen victim to feature development focus
In addition to the over-focus on developing features, Opet notes that security architecture has frequent problems accounting for how deep SaaS models need to intertwine themselves with customer systems. And as with feature design, security architecture is not necessarily a primary consideration in the development process.
Organizations also increasingly can’t avoid SaaS models, and sometimes are even stuck with those that do not have a satisfactory security track record. The field of providers is relatively small overall, and certain niches may offer only one or two real options to prospective customers. That substantially increases the broader risk of some sort of major catastrophe that could harm an entire national economy stemming from just one breach of a service, perhaps one in which ransomware is distributed to all of the downstream clients.
The advanced nation-state threat groups are certainly aware of the situation, more heavily targeting third-party security flaws (major examples being SolarWinds and MoveIT). The letter serves as a reminder that organizations must account for the reality that there are no easy answers readily available and that AI might not be riding to the rescue any time soon, and perhaps would be best served by exerting more pressure on SaaS model vendors to be transparent and security-minded.
