Pentests Often Miss 6 Critical Saas Security Issues. Here’s Why.
By: Tim Bach, VP Engineering @AppOmni
As security and compliance teams assess the fallout and lessons learned from data breaches, such as the SolarWinds breach, they’ll need to re-evaluate their security practices and controls. This is particularly true when it comes to SaaS applications, such as Microsoft 365, and the third-party vendors that connect to those applications.
Regular penetration testing, or pentesting, has long been recognized as a security and compliance best practice (and sometimes even a compliance requirement) when it comes to assessing the security of an organization’s infrastructure and vendors. While pentests do offer significant value to security organizations, they also have some notable drawbacks that must be accounted for with compensating controls and technical oversight.
Most of the companies we work with are up-to-date with their pentests at the start of their engagements, but we still find critical security issues that need to be addressed.
Unfortunately, pentests simply weren’t designed to catch all of the issues that are common in a modern enterprise SaaS environment, including:
- Installed third-party Vendors that have not gone through proper vendor approval and/or security review but functionally now have sensitive data access.
- Security-relevant platform misconfigurations that don’t cause classic web application vulnerabilities, but do expose sensitive data or processes too broadly.
- Over-provisioned users, which results in overly permissive data access or business process access.
- Incorrectly configured SaaS-based portals or other public data sharing vectors that expose internal data to external parties.
- Lack of monitoring or compensating controls for actions that privileged users can take due to configurations in SaaS applications, but should not be doing based on business policies.
- Incorrectly configured monitoring and detection capabilities, leading to blind spots for security teams when it comes to SaaS.
So why does this happen? Here are the reasons that SaaS security vulnerabilities are so often missed by penetration tests.
Manual Processes are Pricey and Yield Mistakes
Penetration tests are typically conducted manually by security consulting firms or in-house security teams. This means that the quality of the pentest can vary from firm to firm, or even team to team.
The manual nature of pentests also means that they are expensive and require a significant time commitment. The average consulting cost of pentesting for a medium to large-size organization is $10,000 – $45,000. From a time perspective, an end-to-end pentest process – including scoping, engagement, findings evaluation, and remediation – can take several weeks or longer. Resources are typically required from multiple teams including the assessment team, the vendor, the internal security team, and often collaboration with internal non-security teams to ensure access or provide sandbox testing environments.
Pentests are outdated the day after completion
Defined scope and limited access results in missed vulnerabilities
There’s a lack of SaaS expertise
As enterprise SaaS platforms mature, they grow in depth and complexity. Traditional pentesters may not be experts on all the SaaS products in your enterprise, and the scope of penetration tests often do not include SaaS products. Possessing full knowledge of a SaaS product’s configuration, permission assignments, and integrations ensures that no stone is left unturned.
Many of the companies we work with have significant security vulnerabilities that were either introduced in the days and weeks following their pentest, or that were missed by their pentest altogether. In fact, our data found that more than 95% of enterprises, most of which have been recently pentested, have external users who are over-provisioned. This gives them access to sensitive SaaS data intended only for internal users.
Furthermore, more than 55% of these enterprises have sensitive data that is available to the anonymous internet. For these organizations, pentests simply haven’t provided the full scope of information needed to keep their SaaS environments secure.
To more comprehensively capture risk over time, pentests should give way to, or at least be combined with, automated technology that offers continuous monitoring. This enables security teams to have ongoing visibility into the internal and external users who have access to data, including which third-party applications are connected to their SaaS environment.