As security and compliance teams assess the fallout and lessons learned from major data breaches, they’ll need to re-evaluate their security practices and controls. This is particularly true when it comes to SaaS applications, such as Microsoft 365, and the 3rd party vendors that connect to them.
Regular penetration testing, or pentesting, has long been recognized as a security and compliance best practice (and sometimes even a compliance requirement) when it comes to assessing the security of an organization’s infrastructure and vendors. While periodic, manual penetration tests do offer significant value to security organizations, they also have some notable drawbacks that must be accounted for with compensating controls and technical oversight.
Most of the companies we work with are up-to-date with their pentests at the start of their engagements, but we still find critical security issues that need to be addressed. Unfortunately, pentests simply weren’t designed to catch all of the issues that are common in a modern enterprise SaaS environment including:
- Installed third-party vendors that have not gone through proper vendor approval and/or security review but functionally now have sensitive data access
- Security-relevant platform misconfigurations which do not cause classic web application vulnerabilities, but which expose sensitive data or processes too broadly
- Over-provisioned users resulting in excess entitlements to data access or business processes
- Incorrectly configured SaaS-based portals or other public data sharing vectors that expose internal data to external parties
- Lack of monitoring or compensating controls for actions that privileged users can take due to configurations in SaaS applications, but should not be doing based on business policies
- Incorrectly configured monitoring and detection capabilities leading to blind spots for security teams when it comes to SaaS.
So why does this happen? Here are the reasons that SaaS security vulnerabilities are so often missed by penetration tests:
Manual processes are pricey and yield mistakes
Penetration tests are typically conducted manually by security consulting firms or in-house security teams. This means that the quality of the pentest can vary from firm to firm, or even from team to team.
The manual nature of pentests also means that they are expensive and require a significant time commitment. The average consulting cost of pentesting for a medium to large-size organization is $10,000 – $54,000. From a time perspective, an end-to-end pentest process – including scoping, engagement, findings evaluation, and remediation – can take several weeks or longer. Resources are typically required from multiple teams including the assessment team, the vendor, the internal security team, and often collaboration with internal non-security teams to ensure access or provide sandbox testing environments.
It’s outdated the day after completion
In systems that change frequently, a penetration test is outdated as soon as the day after it is completed. Penetration testing is by its very nature a point-in-time activity; the findings, or lack thereof, only apply to a snapshot in time. When considering enterprise SaaS deployments and third-party cloud connections to or between them, the point-in-time nature of pentests is especially problematic. Furthermore, the fact that these environments are constantly changing due to vendor updates and the addition of new users means that continuous monitoring is necessary to maintain a secure SaaS environment.
A defined scope and limited access
Large portions of infrastructure, systems, and functionality are overlooked during penetration tests, often due to cost per day or time restrictions. Limitation of access in which a penetration test is completed from an unauthenticated perspective can result in missed vulnerabilities. There is a heavy reliance on reconnaissance and enumeration tools. And while popularity, complexity, and effectiveness of these tools have increased over time, they will never provide the same level of coverage that a SaaS Security Posture Management solution provides.
There’s a lack of SaaS expertise
As enterprise SaaS platforms mature, they grow in depth and complexity. Traditional pentesters may not be experts on all the SaaS products in your enterprise, and the scope of penetration tests often do not include SaaS products. Possessing full knowledge of a SaaS product’s configuration, permission assignments, and integrations ensures that no stone is left unturned.
Moving Beyond Pentests and Towards Continuous Monitoring
Many of the companies we work with have significant security vulnerabilities that were either introduced in the days and weeks following their pentest, or that were missed by their pentest altogether. In fact, our data found that over 95% of enterprises, most of which have been recently pentested, have external users that are over-provisioned. This gives them access to sensitive SaaS data intended only for internal users. Furthermore, over 55% of these enterprises have sensitive data that is available to the anonymous internet. For these organizations, pentests simply haven’t provided the full scope of information needed to keep their SaaS environments secure.To more comprehensively capture risk over time, pentests should give way to, or at least be combined with, automated technology that offers continuous monitoring. This enables security teams to have ongoing visibility of the internal and external users who have access to data, including which third-party applications are connected to their SaaS environment.
Related Resources
-
AppOmni and Cisco Partner to Extend SaaS Security with End-to-End Zero Trust From Endpoint to the Application
AppOmni announced a partnership that combines the company’s Zero Trust Posture Management (ZTPM) solution with Cisco’s Security Service Edge (SSE) technology suite.
-
The Walk, Run, Fly Approach to SaaS Security
Join us for a practical session where we’ll guide you from foundational steps to advanced strategies for securing your SaaS environments.
-
How to Detect Session Hijacking in Your SaaS Applications
In part 3 of this series, Justin Blackburn shares best practices to detect session hijacking and how AppOmni does this by flagging anomalies and through UEBA alerts.