- The open letter of JPMorganchase demands urgent action throughout the industry on SaaS risks
- Third -party SAAS models expose the critical infrastructure to cybersecurity threats in waterfall
- Companies trust insecure integrations that collapse the trusted limits between systems
JPMorganchase, the world’s largest bank, warned about the dangers of SaaS technology used by organizations around the world every day.
Writing in an open letter, Ciso Patrick Opet described the growing concerns that the speed of SAAS adoption has overcome security development.
In particular, Opet said that suppliers have prioritized the rapid delivery of characteristics on a safe architecture, creating systemic vulnerabilities throughout the software supply chain.
A call to arms
“An OPTIMIZATION SERVICE promoted by AI that is integrated directly into corporate email systems through” only reading roles “and” authentication tokens “cannot increase productivity when working properly,” OPET said.
“However, if it is committed, this direct integration gives attackers unprecedented access to confidential data and critical internal communications.”
Opet warned that thousands of organizations are now integrated into ecosystems that depend largely on a small group of service providers, so if one is compromised, the effects of the wave could be devastating.
“Modern integration patterns dismantle these essential limits, depending largely on modern identity protocols (for example, Oauth) to create direct interactions, often without control, between third -party services and sensitive internal resources of companies,” Opet said.
“In practice, these integration models collapse authentication (identity verification) and authorization (granting permits) in excessively simplified interactions, effectively creating the explicit confidence of a single factor between the systems on the Internet and private internal resources. This architectural regression undermines the fundamental security principles that have a proven durability.”
JPMorganchase has already experienced a series of third -party infractions in the last three years, which requires rapid action to isolate the committed partners and mitigate threats. These incidents have emphasized the risks linked to highly connected third -party ecosystems.
“Fierce competition among software suppliers has promoted the prioritization of rapid development of characteristics on robust security,” Opet wrote.
“This often results in hurried product launches without integral or enabled integral security by default, creating repeated opportunities for the attackers to exploit weaknesses. The search for market share at the expense of security exposes client ecosystems at a significant risk and will result in an unsustainable situation for the economic system.”
He also cited new emerging threats to the theft of tokens, opaque dependencies of fourth game and privileged access without sufficient transparency.
“The most effective way to start change is to reject these integration models without better solutions,” Opet concluded. “I hope you join me Recognizing this challenge and responding decisively, in collaboration and immediately. “
