Organizations face an average of six breaches in their SaaS supply chain every year, according to new data published by Nudge Security.
With threat actors like Lapsus$ exploiting this modern attack surface, securing it has become a top cybersecurity priority and was the subject of a recent executive order. In fact, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to Gartner.
To address these threats, Nudge Security announced the addition of multiple new SaaS attack surface management capabilities to its platform, including SaaS supply chain breach notifications, OAuth risk scoring, and a SaaS attack surface dashboard.
“Every security leader is contending with a sprawling mix of cloud and SaaS providers, permissions, accounts, and identities. Until now, this emerging attack surface has been largely invisible and vulnerable to the types of supply chain attacks in the headlines week after week,” said Kevin Mandia, CEO, Mandiant and Strategic Partner, Ballistic Ventures.
“Nudge Security recognized that securing the SaaS supply chain is one of the core challenges of modern cybersecurity, and that’s why the Ballistic Ventures team was so eager to invest,” Mandia continued.
With a new centralized SaaS attack surface dashboard, IT and security teams can continuously identify critical targets like cloud infrastructure, code repositories, and apps that handle IP and sensitive data as well as publicly exposed apps, registered domains, and social media accounts.
Additionally, new OAuth risk scoring extends Nudge Security’s existing OAuth discovery capabilities, so teams can understand what access is given between apps and surface overly permissive grants.
“Recent breaches like the one at CircleCI show how SaaS supply chain attacks can ricochet across modern software development and CI/CD environments,” said Jaime Blasco, CTO of Nudge Security.
“Our data shows that, on average, organizations use three SaaS providers for source code repositories and artifact hosting, which they connect to other services, creating permissions sprawl and heightened risk. For example, organizations give Github access to about 10 different SaaS applications on average,” Blasco continued.
When breaches occur, organizations must be able to quickly assess impact. That’s why Nudge Security expanded its SaaS supply chain capabilities with new breach notifications for third- and fourth-party SaaS providers, so customers can know immediately if they’re in the blast radius of a breach, such as the recent GoDaddy breach.