SaaS has changed everything. It’s no longer just a collection of tools; it is a foundational operating model of the modern enterprise. But for too long, a critical part of the SaaS security story has been a black box. Organizations have built sophisticated Zero Trust architectures around their on-prem and IaaS environments, but when it comes to the SaaS applications that hold their most sensitive data, the controls we rely on are often stuck in the past. This disconnect creates a massive, unnecessary risk.
Recent events have turned these risks into real breaches impacting over 700 organizations. High-profile attacks by threat groups like UNC6040 and UNC6395 have exposed a critical blind spot in SaaS security. These breaches weren’t caused by traditional malware or network intrusions. They were SaaS attacks that exploited weaknesses in SaaS identities/privileges and trusted connections between applications respectively. These attacks demonstrate a dangerous new reality: adversaries are weaponizing the very tools and trusted integrations designed to make business run smoothly.
The SaaS Security Capability Framework (SSCF): Why We Need It and How It Helps
This is the problem the Cloud Security Alliance (CSA) has been working to solve, and I am proud to have been a contributor to the project. The new SaaS Security Capability Framework (SSCF) v1.0 is the industry SaaS security standard we have been missing.
The SSCF addresses the critical gap in existing risk management processes. It goes beyond generic security certifications like SOC 2 and ISO 27001 by defining the customer-facing, configurable security controls that every SaaS application should provide. Without a clear standard for what security teams can and should be able to manage, it’s a wild west of missing or inconsistent controls, duplicated efforts, and risk.
“The SSCF addresses a critical gap in SaaS security by establishing the first industry standard for customer-facing security controls. This framework exemplifies CSA’s mission to unite diverse industry partners (from SaaS providers to enterprise customers) in creating practical solutions that translate compliance requirements into actionable security capabilities that organizations can actually configure and enforce.”
What Is the SaaS Security Capability Framework (SSCF)?
The SaaS Security Capability Framework (SSCF) brings clarity to a complex ecosystem:
For Third-Party Risk Management (TPRM) teams, it provides a consistent, technical baseline to make vendor assessments faster and more straightforward.
For SaaS vendors, it standardizes security expectations, reducing the burden of countless custom questionnaires and allowing them to focus on building the right controls.
For SaaS security engineers, it’s a practical checklist for streamlining the security program and having the confidence that critical security capabilities are offered by SaaS products.
Tackling the Controls: A Pragmatic Approach
Organizations looking to adopt the SSCF might feel overwhelmed by the comprehensive list of controls, but the goal here is not to implement everything at once. A phased, risk-prioritized approach makes the most sense. You won’t achieve perfect security overnight, and the SSCF’s “implementation guidelines” are deliberately flexible, recognizing that every organization and every SaaS application is different.
The most critical controls are found in the Change Control and Configuration Management, IAM (Identity and Access Management) and LOG (Logging and Monitoring) domains. They help establish a secure baseline security posture to start with and help detect overly permissive or anomalous behavior in the runtime environment.
Challenges and The Future of SaaS Security
The challenge in implementing the SaaS Security Capability Framework is primarily on the SaaS vendor side to make sure the various capabilities and controls are available. On the customer side, it’s about effectively using the security capabilities to adapt them to their organizational needs. True security is a continuous process. Organizations may struggle to centralize all of their SaaS security data from different applications, but this is exactly what solutions like SaaS Security Posture Management (SSPM) are designed to solve.
Would these controls have helped prevent recent attacks?
The UNC6395 attack relied on integration that became malicious, which the SSCF’s IAM-SaaS-19 (Third-party Allowlisting) would have helped prevent. The UNC6040 vishing attack that led to connecting a rogue application would have been immediately flagged by a system configured to detect the creation of new non-human identities, as required by IAM-SaaS-06 (NHI Governance). The comprehensive logging from LOG-SaaS-01 (Logged Events Scope) would have provided the necessary forensic data for both attacks, allowing for rapid detection and response.
SaaS audit logs are a critical foundation for both security and compliance, yet they present significant management challenges. These challenges stem from the wide variation in SaaS application APIs and the inconsistent quality and terminology of audit log data.
With SaaS environments relying on a diverse ecosystem of applications, security teams must contend with different log formats and the complexities of collecting data through varied APIs. This lack of standardization makes it difficult to achieve consistent visibility, slowing the ability to detect, investigate, and respond to security incidents.
To help customers with SaaS app auditing needs AppOmni’s Threat Detection team developed an open source framework, the SaaS Event Maturity Matrix (EMM), for providing a normalized means of organizing and cataloging event logging capabilities from different SaaS platforms. The ultimate goal is to reveal a SaaS platform’s auditing capabilities and assist security teams in enhancing detection and response activities.
What about GenAI applications?
No discussion of SaaS security controls is complete without an understanding of how GenAI applications are secured. The SSCF deliberately does not include specific controls for GenAI features in this first version. The consensus was that it’s too early, and the use cases are too varied. AppOmni’s point of view is that the security of SaaS and AI represents two sides of the same coin. My recommendation is to apply the controls specified in the SSCF to GenAI. Treat a GenAI app or agent just as a new kind of NHI and \apply the same rules: ensure its access is governed by the principles of least privilege, its actions are fully logged, and its data handling is transparent and controlled.
The SSCF is not the finish line, but it is the critical first step on the path toward a more secure and trusted SaaS ecosystem that adheres to SaaS security best practices. The best is yet to come.
What’s next and how AppOmni can help
AppOmni is a pioneer in SaaS security and helped global enterprises understand their SaaS risks and guided their security strategy. If you are interested, sign up for a complimentary SaaS Security Risk Assessment and expert tips about common sense controls that can improve security.
Ready to strengthen your SaaS security? Here are 3 ways you can continue your journey to contain SaaS threats:
Schedule a demo. We’ll personalize the session to your organization’s immediate needs.
About the Author: Brian Soby is the CTO and co-founder of AppOmni. He is a technology and security professional with 20 years of experience spanning products, applications, and security, and has worked in the defense and commercial industries in both large and small companies. His past roles include Partner at FreeFly Security, Director of Product Security at Salesforce, Lead Information Security Engineer at MITRE, and Network Security Engineer at Raytheon.
