As security and compliance teams assess the fallout and lessons learned from the SolarWinds breach, they’ll need to re-evaluate their security practices and controls. This is particularly true when it comes to SaaS applications, such as Microsoft 365, and the 3rd party vendors that connect to them.
Regular penetration testing, or pentesting, has long been recognized as a security and compliance best practice (and sometimes even a compliance requirement) when it comes to assessing the security of an organization’s infrastructure and vendors. While periodic, manual penetration tests do offer significant value to security organizations, they also have some notable drawbacks that must be accounted for with compensating controls and technical oversight.
Most of the companies we work with are up-to-date with their pentests at the start of their engagements, but we still find critical security issues that need to be addressed. Unfortunately, pentests simply weren’t designed to catch all of the issues that are common in a modern enterprise SaaS environment including:
So why does this happen? Here are the reasons that SaaS security vulnerabilities are so often missed by penetration tests:
Manual processes are pricey and yield mistakes
Penetration tests are typically conducted manually by security consulting firms or in-house security teams. This means that the quality of the pentest can vary from firm to firm, or even from team to team.
The manual nature of pentests also means that they are expensive and require a significant time commitment. The average consulting cost of pentesting for a medium to large-size organization is $10,000 – $45,000*. From a time perspective, an end-to-end pentest process – including scoping, engagement, findings evaluation, and remediation – can take several weeks or longer. Resources are typically required from multiple teams including the assessment team, the vendor, the internal security team, and often collaboration with internal non-security teams to ensure access or provide sandbox testing environments.
It’s outdated the day after completion
In systems that change frequently, a penetration test is outdated as soon as the day after it is completed. Penetration testing is by its very nature a point-in-time activity; the findings, or lack thereof, only apply to a snapshot in time. When considering enterprise SaaS deployments and third-party cloud connections to or between them, the point-in-time nature of pentests is especially problematic. Furthermore, the fact that these environments are constantly changing due to vendor updates and the addition of new users means that continuous monitoring is necessary to maintain a secure SaaS environment.
A defined scope and limited access
Large portions of infrastructure, systems, and functionality are overlooked during penetration tests, often due to cost per day or time restrictions. Limitation of access in which a penetration test is completed from an unauthenticated perspective can result in missed vulnerabilities. There is a heavy reliance on reconnaissance and enumeration tools. And while popularity, complexity, and effectiveness of these tools have increased over time, they will never provide the same level of coverage that a SaaS Security Posture Management solution provides.
There’s a lack of SaaS expertise
As enterprise SaaS platforms mature, they grow in depth and complexity. Traditional pentesters may not be experts on all the SaaS products in your enterprise, and the scope of penetration tests often do not include SaaS products. Possessing full knowledge of a SaaS product’s configuration, permission assignments, and integrations ensures that no stone is left unturned.
Many of the companies we work with have significant security vulnerabilities that were either introduced in the days and weeks following their pentest, or that were missed by their pentest altogether. In fact, our data found that over 95% of enterprises, most of which have been recently pentested, have external users that are over-provisioned. This gives them access to sensitive SaaS data intended only for internal users. Furthermore, over 55% of these enterprises have sensitive data that is available to the anonymous internet. For these organizations, pentests simply haven’t provided the full scope of information needed to keep their SaaS environments secure.
To more comprehensively capture risk over time, pentests should give way to, or at least be combined with, automated technology that offers continuous monitoring. This enables security teams to have ongoing visibility of the internal and external users who have access to data, including which third-party applications are connected to their SaaS environment.
VP, Engineering @ AppOmni
Find out what your pentest missed with the AppOmni Free Risk Assessment