“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail, but also openly accepts responsibility for the risks posed by third party integrations,” Michal said. “By committing to strengthen their SaaS environments and toolchain security going forward, Cloudflare demonstrated both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust in the aftermath of supply chain compromises.”
Revoking OAuth tokens
Erik Avakian, technical counselor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania, recommended that users should “be periodically revoking unused OAuth tokens and refreshing them, and enforcing expiration where possible, all of which are practices in line with foundational zero trust principles.”
“This incident also highlights why this type of attack demonstrates the rise in SaaS risk. When we’re trusting third-party apps with direct API access, we’re really trusting them to safeguard our auth tokens as carefully as we would our passwords,” Avakian said. “But if we focus on and employ a zero trust mindset across our environment, we really should be treating third-party applications and SaaS like any other external network.”
