Why SaaS apps are a prime target for attackers [Q&A]
Attackers will always use tactics that are proven to work and with more business turning to SaaS for their systems obviously these apps are on the cybercriminal’s radar.
We spoke to Martin Vigo, lead offensive security researcher at SaaS security company AppOmni, to explore the reasons why SaaS apps are such fertile ground for attackers.
BN: How can we take lessons from previous cyberattacks to create a blueprint for better SaaS security strategies?
MV: Attackers rinse and repeat tactics that work, and they increasingly target SaaS applications because these offer significant value for their effort. We've seen this play out in incidents like Silk Typhoon's attack on BeyondTrust, where they exploited zero-days and overprivileged API keys to access customer remote support instances, impacting even government entities like the Department of Treasury. Similarly, Scattered Spider leveraged social engineering and fake login domains to breach Marks & Spencer, and Salt Typhoon compromised Commvault by dumping OAuth tokens from M365 environments.
These incidents highlight several critical areas organizations can use to create a blueprint for better SaaS security strategies.
First, a significant percentage of breaches (20 percent according to a recent Verizon report, a 34 percent increase in the last year) stem from the exploitation of known vulnerabilities. We need proactive, rigorous vulnerability management and rapid patching. Second, supply chain attacks involving third parties, including SaaS providers, are soaring, accounting for 30 percent of recent breaches and a surprising 100 percent increase over recent years. This demands a holistic approach to third-party risk. Finally, the focus on OAuth tokens is crucial. OAuth tokens often have long lifespans and don't automatically expire or revoke upon password changes or logouts, making them highly attractive to attackers. Your SaaS security blueprint must prioritize robust identity and access management specifically tailored for OAuth, coupled with comprehensive security awareness programs to combat social engineering and phishing campaigns targeting these tokens. By dissecting these attack patterns, we can build more resilient, attacker-aware SaaS security strategies.
BN: Why are SaaS applications fertile ground for cybercriminals?
MV: AppOmni research finds that 75 percent of organizations suffered a SaaS data breach or security incident in the past year. This primarily boils down to the disproportionate value attackers gain for their investment of effort. If attackers want to hack a bank, they go after Bank of America, but if they want to compromise several banks at once, they go after an application all those banks use. This scale makes SaaS highly attractive.
Organizations face immense challenges with visibility. The average enterprise uses around 150 different SaaS applications, which can entail thousands of interconnected application chains. Up to 65 percent of these might be shadow SaaS, creating a vast, unmonitored attack surface. Compounding this, business units often directly own and procure SaaS apps, leaving security teams running blind. Many organizations unfortunately focus on securing individual applications rather than the entire SaaS estate, which fails to reduce overall risk across interconnected systems. And the rapid emergence of SaaS AI plugins introduces new, largely unmonitored risks that many security programs are not equipped to handle.
Finally, the prevalent confusion surrounding the shared responsibility model for SaaS security (still present in two-thirds of organizations) leaves significant gaps. While the SaaS provider is responsible for the underlying infrastructure, the customer organization is responsible for data security and identity management.
BN: Why are attackers able to remain undetected inside SaaS environments for so long, compared to other systems?
MV: The dwell time for attackers within SaaS environments can average 240 days compared to approximately 100 days in other systems. This allows adversaries to thoroughly study and exploit an organization's internal processes and data flows.
This is due to the profound lack of visibility by security teams into their SaaS environments. SaaS operates largely outside the conventional boundaries of on-premise networks with traditional firewalls and clear perimeters. There's no single door wrangler where all activity is easily monitored. Attackers who gain an initial foothold don't trigger perimeter alarms.
Once inside, their activities are often low-noise events. They're not making grand, easily detectable moves. They're performing reconnaissance and accessing sensitive information in a way that blends in with legitimate user behavior. A criminal logging in from an unusual location, touching sensitive data, and then downloading it might appear as separate, innocuous events if not correlated within a comprehensive SaaS security program. Many organizations stop at implementing single sign-on (SSO) and believe they're secure, but they lack deeper insights into what users, or attackers masquerading as users, are doing post-login.
SaaS environments are dynamic: Frequent updates can alter security settings, and constant changes in user roles lead to configuration drift and over-privileged access. If security teams don't continuously monitor configurations and user behavior across the entire SaaS ecosystem, these subtle, cumulative changes can create blind spots that allow attackers to operate and persist for months without detection.
BN: What are the main challenges organizations face in securing SaaS applications?
MV: First, there's the issue of decentralized platforms and applications. Business units often acquire SaaS applications outside the purview of IT. Executives (not security experts) are frequently responsible for configuring these apps, often without a full understanding of security implications or the shared responsibility model, leaving critical applications vulnerable by default.
Second, complex and customized configurations pose a major challenge. With enterprises managing an average of 150+ different SaaS applications, each with hundreds of unique controls, manually configuration is overwhelming. Security teams can't be experts in every application, leading to widespread misconfigurations, a major cause of breaches. And the intricate web of SaaS-to-SaaS and SaaS-to-internal system connections makes detecting anomalies across the environment incredibly difficult.
Third, personnel changes within organizations require constant adjustments to user privileges. Maintaining the principle of least privilege in such dynamic environments is incredibly hard; it's easy for access to become over-provisioned and for configuration drift to occur, exposing data over time.
Finally, shadow IT installation and management of third-party integrations significantly expand the attack surface. On average, over 42 distinct third-party applications connect into enterprise SaaS environments, with roughly half connected directly by end-users, bypassing security oversight. These integrations often have extensive permissions to read, write, or delete sensitive data, yet organizations often lack comprehensive SaaS security monitoring technology to track which apps are approved, what permissions they hold, and how users are interacting with the data they access.
BN: What’s the best way for organizations to get started with SaaS security and build as they mature?
MV: Begin with a fundamental question: "What SaaS applications are running in our environment, and who has access?"
- Define clear outcomes: Understand what you want to achieve, whether it’s compliance, reducing specific risks, or improving incident response. Visibility alone is not enough; you must have a plan for safe remediation.
- Prioritize your crown jewels: Identify the 3-4 SaaS applications that hold your most sensitive data or are critical to core business workflows, and focus your initial efforts here.
- Establish foundational visibility: Start by discovering all SaaS applications, including shadow SaaS, and map out hidden application connections. Understand who has access to what, and proactively detect potential threats.
- Implement strong governance and requirements: Define clear SaaS data security, SaaS-to-SaaS connection, and compliance requirements from the outset. Review contracts with SaaS vendors regarding their access to your tenant data.
As you mature, expand your program by adopting an end-to-end perspective for threat modeling, incorporating frameworks like MITRE alongside traditional NIST guidelines. Integrate AI security, understanding how AI models interact with sensitive data across your SaaS ecosystem. And move beyond just detecting and responding to predicting and protecting by leveraging automation for auto-remediation. This proactive stance allows organizations to scale their security capabilities alongside their evolving SaaS usage.
Image credit: Tongsupatman/Dreamstime.com
