SaaS security woes continue to haunt cyber teams
More than three-quarters of technology leaders say they’re concerned about SaaS security threats, prompting calls for more robust development practices.
The findings of the Onymos SaaS Disruption Report reveal that enterprises prioritize data privacy and security, with 65% and 72% respectively saying that they’re the most critical priorities in the app development process.
An overwhelming 91% of the tech leaders polled believe retaining data within custom-built, internal applications is crucial, with only 36% of tech leaders running all of their applications on-premise or on private cloud.
The report noted that 45% of tech leaders have experienced a cybersecurity incident through a third party SaaS solution in the past year – echoing a Gartner prediction that 45% of organizations globally will have experienced attacks on their software supply chains by 2025.
The most common incidents occurring through third party SaaS solutions were malware attacks, experienced by 46%, phishing, at 34%, insider threat and web application attacks at 31% each and DDoS attacks at 27%.
SaaS, said Shiva Nathan, founder and CEO of Onymos, is integrated into every aspect of application and software development, used both to accelerate overall development processes and as an essential component or plug-in for specific solutions or products.
The average enterprise uses 130 different SaaS applications, the company said, and around 85% of IT leaders say they rely on low-code or no-code SaaS solutions for their application and software projects.
According to McKinsey, the global SaaS market is worth about $3 trillion and is expected to rise to as much as $10 trillion by 2030.
However, SaaS also presents risks. Fears cited by survey respondents include the indirect security risk that comes with working with SaaS vendors, lack of clarity on the data privacy protections in SaaS solutions, and security requirements not being met by vendors.
“For instance, when companies purchase a SaaS solution to expedite the creation of an application, they must provide data access to the third-party SaaS provider in exchange. By granting this access, enterprises face risks such as cyberattacks and accidental data leakage,” Nathan said.
“As we increasingly rely on SaaS to develop our business-critical applications and software, we must reconsider how we approach SaaS data privacy and security. It is no longer acceptable to require companies to hand over their data in exchange for key functionality or faster time-to-market.”
Incidents have included an attack on healthcare provider Kaiser Permanente, exposing the personal information of over 13 million members, as well as a data breach at Welltok caused by a vulnerability in Progress Software’s MOVEit Transfer server.
The report recommends the adoption of ‘no-data’ architecture principles, which prioritize data privacy and security, and suggests that enterprises should be allowed to own and modify the code associated with the SaaS solutions they use for their application and software development.
Finally, rigorous third party security audits and penetration tests should be prioritized and carried out regularly.