The rapid rise in the use of SaaS applications — often without the IT organization's knowledge or consent — has spawned a whole new set of challenges for security teams. These include visibility gaps, unmanaged data flows, and an expanding attack surface that traditional tools aren't equipped to handle.
A recent study by BetterCloud found that, on average, organizations use 105 SaaS apps — and those apps can have different configurations, security settings, and use cases. In many situations, enterprise IT and security teams have little idea of the scope of SaaS use in their environment and even less control over their security.
An AppOmni survey of security managers and decision makers at 644 organizations highlighted a disturbing disconnect between perception and reality, with 49% of respondents saying they had fewer than 10 apps connected to their Microsoft 365 platform, when in reality they averaged more than 1,000. And 34% simply admitted that they had no idea about the number of SaaS apps in their organization.
A couple of factors threaten to make the future even more challenging. Gartner predicted last year that organizations worldwide would spend just over $247 billion on SaaS apps in 2024 and that spending would surge 20% to more than $295 billion in 2025.
The rapidly growing number of SaaS-to-SaaS app connections and third-party integrations at many organizations is another issue. These integrations are exposing organizations to new risks such as those tied to misconfigured APIs and excessive permissions. Because these integrations often lack proper monitoring and oversight, they are a prime target for attackers.
Here are key measures to mitigate SaaS security risks — including one new hopeful from CycloneDX, the SaaSBOM.
[ Get White Paper: Go Beyond the SBOM. Plus: Join Webinar, Welcome CycloneDX xBOM ]
1. Assess and quantify the risks
One of the biggest challenges in managing SaaS security often is a lack of visibility into the full scope of risk from SaaS apps, Without a clear, quantifiable understanding of where exposures lie, it's difficult to prioritize action or allocate resources effectively, said Omri Weinberg, CEO at DoControl. Such visibility is essential for quantifying the risks and taking steps to address them, he said.
"The first step in SaaS security is conducting an assessment to identify exposed sensitive data, installed shadow apps, high-risk identities, and configuration missteps. Organizations know SaaS presents risks, but they lack the visibility and knowledge to quantify those risks within their environments."
—Omri Weinberg
Organizations can take several steps to assess SaaS security risks, including doing proper assessment planning and scope definition, information gathering, security control evaluation, vulnerability assessment, and risk analysis. The goal is to build an inventory of all the SaaS applications in use, checking for the presence of access management, encryption, and other security controls, and to understand how they interact with other applications.
It is also important for organizations to do a systematic assessment of the vulnerabilities in their SaaS environment and their potential impact, said Sean Roche, a senior director at Obsidian Security.
"SaaS is the hardest category of apps to manage vulnerability because IT is accountable, while app owners are responsible. This means app owners without security expertise are often tasked with configuring their apps securely, while security teams lack visibility and oversight into the specifics of every application."
—Sean Roche
2. Assign responsibility for SaaS security
Misconceptions about the shared responsibility model can often leave critical gaps in protection. Brian Soby, CTO at AppOmni, said many organizations in his company's survey mistakenly assume that SaaS vendors and cloud providers will address most security requirements. In reality, it is the end-user organization that is responsible for monitoring and updating SaaS, setting application access control policies, managing identities and permissions, and fulfilling compliance mandates.
Additionally, security teams are often unaware of which SaaS apps are used within their organization, who is using them, and what permissions have been established, he said. So, not only are they are unable to get a handle on what is risky, but they are also unsure who has the responsibility to secure them within their own organization.
"SaaS security has not yet come fully under the purview of the security team. Alarmingly, only 15% of enterprises surveyed have security teams actively managing SaaS security."
—Brian Soby
In half of the firms surveyed, the business owners of each application were responsible for security, but in others responsibility was unclear, Soby said. A clear understanding of responsibility for SaaS security is essential because it ensures that organizations are addressing their own critical obligations — such as access controls, data protection, and compliance — rather than assuming that those risks are fully managed by the SaaS provider or by the business users buying and using these apps.
"Security teams often have zero visibility into how these applications are deployed and operated in their companies. The business users usually get a green light through procurement, and then it's the Wild West in terms of how these applications are used and/or locked down."
—Brian Soby
3. Manage SaaS identities and behavioral risk
The widespread adoption of SaaS platforms has led to a surge in user identities. Often, these identities can exist across multiple systems and include vulnerabilities such as weak passwords and authentication mechanisms, excessive permissions, and accounts no one is using any longer. Behavioral risks, such as users sharing sensitive data externally or ignoring access policies, are another issue. They amplify breach risks and can put organizations at risk of noncompliance with regulations such as the EU's GDPR and California's CCPA.
In this context, the ability to manage identities and user behavior has become critical, said DoControl's Weinberg. "SaaS identities present a new and high-risk challenge," he said. Identity-based attacks often lead to data exposure. He noted that 90% of data breaches stem from identity-related attacks — phishing, account takeovers, etc. "Even with the best security infrastructure, a single wrong click by a user can undermine it all," he said.
Weinberg said it's become essential to understand who a user is, what data they access, the associated risk, and how to remediate risky behavior. For example, if a user who rarely shares data suddenly shares over 100 assets in minutes, that’s a red flag. Similarly, one person logging into Salesforce from Boston and then from Los Angeles 30 minutes later is a physical impossibility that could indicate an account takeover.
"SaaS data risks have never been more critical. Organizations must invest in comprehensive and scalable solutions to address these challenges."
—Omri Weinberg
4. Implement continuous posture management
Continuous posture management is key to addressing SaaS security risks. Modern SaaS environments tend to be dynamic. The users accessing these environments can constantly change, and so can SaaS app configurations and integrations. Point tools are often insufficient because they are designed for specific issues and not for detecting and mitigating risk across the entire SaaS landscape.
"Since SaaS environments are complex, with widely varying configurations, ownership, and access patterns, protecting each application separately isn’t possible," AppOmni's Soby said. What's needed instead are capabilities for constantly monitoring security configurations, user behavior, permissions, and integrations across all SaaS applications. The goal is to detect and address security gaps quickly as the SaaS environment evolves.
"Organizations need continuous SaaS security posture management to protect their complete SaaS estate at scale, to surface data exposures, detect threats, discover unsanctioned third- and fourth-party SaaS connections, manage identities and privileges, and spot configuration drift."
—Brian Soby
5. Identify and monitor SaaS-to-SaaS connections
SaaS-to-SaaS connections, where one SaaS application connects directly to another — often through APIs or OAuth tokens — present a large and growing attack target for adversaries. While such connections can boost productivity, they’re usually set up by end users with little IT oversight, making them difficult to track and even harder to secure. Potential risks include excessive data sharing, unauthorized access, and an attack surface that traditional security tools often miss.
Soby said AppOmni's survey found that in some large organizations, a single SaaS platform such as Salesforce or ServiceNow could have tens of thousands of other applications connected to it — often via APIs, integrations, or third-party add-ons. "SaaS-to-SaaS connections create an entire universe of interconnected apps that allow an attacker to move across applications and pilfer whatever data they want to," he said.
AppOmni found that each SaaS instance had, on average, 250 connected apps, and in some environments that number reached as high as 60,000. Given how complex and large these environments can be, organizations need capabilities to automatically discover and monitor these SaaS-to-SaaS integrations, mapping connections and data flows via APIs. Equally critical are tools that can detect risky configurations, unauthorized access, and data-sharing vulnerabilities in real time
Obsidian Security's Roche said teams have long invested in controls to protect authentication to SaaS applications, "but these tools are typically blind to the fast-growing SaaS-to-SaaS data movement that is not governed or monitored."
"The lack of visibility into the applications, identities, and app-to-app connections in corporate environments hides risk and creates an ever-growing unknown attack surface."
—Sean Roche
6. Tap AI for help strategically
A new generation of AI-powered tools is emerging that aims to help organizations automatically discover connected apps, identify overprivileged access, and deliver real-time insights for detecting and responding to security risks. AI's ability to analyze vast amounts of user activity and configuration data could significantly improve the ability of security teams to detect dangerous misconfigurations, unusual login activity, mass data sharing, and excessive permissions.
The key is knowing how and when to use it, said Weinberg. "AI is a powerful tool, but it must be used strategically to make a real impact on organizations. In SaaS security, one key area AI can significantly enhance is risk scoring and identification," he said.
AI can correlate data across SaaS apps, identify threats and anomalous activities, and provide accurate risk scores to pinpoint threats and automate policies to address risky scenarios, Weinberg said. "By connecting the dots across various SaaS tools and automatically detecting genuine risks, AI reduces false positives and delivers actionable insights, enabling security teams to be accurate and efficient when mitigating risks," he said.
Melissa Ruzzi, director of AI at AppOmni, perceives AI as offering the only way for organizations to keep up with SaaS-related threats going forward. With organizations using scores of SaaS applications, understanding what each SaaS app does, assessing associated risks, and sifting through vast amounts of data to identify security issues can be overwhelming for security teams. "When built and trained on the right data, AI-enabled solutions can provide visibility into the SaaS environment, and data analytics at a scale and depth that only AI can handle," Ruzzi said.
One especially significant use case for AI is enabling users to chat with their data, investigate security events, and make faster and more informed decisions. AI-driven observations can transform complex SaaS security questions into clear, actionable answers and visual representations for deeper understanding, Ruzzi said. It can also optimize security workflows and surface critical observations in a narrative form with added contextualization to help teams focus on taking faster action.
"But the outcome of AI can only be as valuable as the comprehensiveness of the data that it uses. The richer the data, the smarter the AI."
—Melissa Ruzzi
7. Go beyond the SBOM with an xBOM — namely, the SaaSBOM
One key category of CycloneDX's new xBOM bill of materials standard is the SaasBOM, which identifies and inventories cloud-based applications, APIs, endpoints, and data flows to help ensure governance, compliance, and risk mitigation in SaaS environments.
SaaSBOMs provide better insights into the dynamic relationships between the services the software integrates with. They allow organizations to check the level of security of those third-party services, as well as identify and more effectively manage risks regarding insecure APIs, vulnerable data exchanges, and misconfigured services. As a result, users can confidently make more informed decisions on what they include in their applications.
The xBOM addresses the nature of how various assets move through and are incorporated into software supply chains. Industry guidelines and regulations are increasingly calling for the software bill of materials – and now the xBOM – to bring detailed visibility into their software ecosystems by representing comprehensive inventories of software components, dependencies, and relationships, said Dan Petrillo, vice president of product marketing for ReversingLabs.
“We need to encompass all facets of software, and SaaSBOM is an interesting one because it acknowledges that software is more than just the bits and bytes of the package you build in. Software calls on services, touches endpoints, APIs, and so on. SaaSBOM brings visibility to that.”
—Dan Petrillo
