2024 SaaS Security Predictions: A Look at the SaaS Threat Landscape in the Year Ahead

Originally published by AppOmni.

Written by Beverly Nevalga.

Breaches of consumer health, credit data, and military systems were among the most devastating in 2023 – evidence that no SaaS applications are immune from being compromised. To find out what next year holds, we asked 5 cybersecurity thought leaders to share their 2024 predictions.

SaaS breaches are increasing, and attack vectors are varied

A quick recap of this year: As of this publishing, the SaaS Breach Info Center reported on more than 30 major breaches in 2023, impacting more than 221,754,208 individuals, consumer accounts, and profiles as well as thousands of employees at affected organizations.

• Third-party breaches
• Compromised developer credentials
• Stolen source code
• Exposed encryption keys
• Misconfigurations
• Ransomware
• Hijacked Okta credentials
• Access to authenticator systems

And other incidents impacted business operations and the security of protected information. Identity-based attacks increased and super admin accounts proved to be fruitful targets, providing attackers with useful leverage through enabling initial access.

Overconfidence in controls can lead to false sense of SaaS security

This year, we also surveyed over 600 security practitioners across the globe for AppOmni’s State of SaaS Security Posture Management Report, and found a high degree of overconfidence and optimism about the security of their SaaS apps. This optimism contrasts with our findings from real-world deployments. In our research, we discovered that:

• 85% of respondents indicated that they are confident that their company and customer data is secure in their organizations’ SaaS applications. But 79% have suffered a SaaS cybersecurity incident in the last 12 months.
• 30% experienced data exposure and end-user permission vulnerabilities.
• Additionally, 60% of security teams have limited to no ability to monitor their SaaS-to-SaaS connections.
• Although many organizations think their SaaS cybersecurity is mature – having deployed CASB, MFA, IdP, MdM – they are grossly underestimating the extent of their SaaS attack surface risk and lack true unified risk visibility.

But it is encouraging to hear that 70% of organizations have identified SaaS cybersecurity as a top 3 security initiative for 2024.

Predictions for 2024 reveal SaaS cyber risk is expected escalate

When inviting thought leaders to offer their predictions, we asked, “Will we see more of the same as in 2023?”; ” How do you foresee things escalating?”; ” Will threat actors continue going after identities?”; and “What will security leaders need to prepare for?”

Unsurprisingly, they have a lot to say. We heard a lot about SaaS applications becoming increasingly risky from a security standpoint. Thought leaders also shared their apprehension about AI-driven security and attackers with AI-supported arsenals. Possible new cyber weapons, an influx of new security startups, and rampant misconfigurations were also mentioned. Our experts noted potential new targets and also emphasized the risks of inaction. In all, a consensus emerged – the industry at large isn’t prepared for what 2024 holds.

Here are the highlights (edited for flow and brevity).

Brendan O’Connor, CEO and Co-Founder at AppOmni: “It’ll be 2023 all over again”

“Anyone with good intentions will connect AI to highly-sensitive data they shouldn’t (e.g. PII, medical records, financial transactions) and it can go very wrong. While AI can be a force for good, securing data-hungry LLMs has not matured.

The more things change, the more they stay the same. In 2024, mega breaches will continue to have a profound impact on SaaS platforms, large institutions, and industries such as healthcare, consumer products, and automotive. Attackers will leverage the same tactics and techniques since they’ve proven to be successful.

Lastly, expect to see an arsenal of new cyber weapons. There’s a hierarchy of how these things reach the dark web. Military-grade exploits and espionage-motivated campaigns will work their way down to organized crime. Businesses must get ahead of this — those without a governance process will fall far behind if they do nothing.”

Andy Ognenoff, Managing Director, Global SaaS Security Lead, Accenture: “We’re seeing an awakening in enterprise and platform security. SaaS needs a lot of attention.”

“Given the public attention to high-profile SaaS security incidents we saw in 2023, we’re seeing an awakening in enterprise and platform security – SaaS still needs attention. 2024 is likely to be a continuation of the second half of 2023, where app owners are surprised when they realize that they haven’t outsourced all of their security responsibilities to SaaS vendors.

The general message we’re hearing from clients is that they need help gaining visibility into their SaaS portfolios and untangling or remediating long-standing issues. In some cases, issues that’ve been going on for years.

As far as attack techniques are concerned, identity-based attacks, especially token theft, are likely to continue to be a primary approach attackers use for the initial foot in the door of an organization. We’re going to see SaaS apps be increasingly popular targets given the strategic reliance on them for most enterprises.”

Tim Bach, SVP of Security Engineering at AppOmni: “Threat hunters will be focused on SOCs, SaaS, and mobile devices.”

“We’ve seen a steady uptick in recognition of SaaS as a major part of the enterprise attack surface in the last 5 years. Also, threat hunters are focusing more on monitoring SaaS activity logs for signs of attackers and active exploitation. 2024 will likely be more of a spike than a linear increase, though, due to widely publicized SaaS-related attacks and research. (For instance Krebs, ServiceNow, etc.). Our own research team at AppOmni noted marked upticks in attack activity after publication of such research, indicating that this is on the minds of attackers. So, next year as always, hunters need to be vigilant about SaaS activity.”

John Grady, Principal Analyst with ESG Group: “Almost certainly we’ll see multiple disclosures of sizable data breaches from misconfigured third-party SaaS.”

“The SaaS landscape is changing dramatically. This fact, coupled with new SEC cybersecurity reporting requirements, make it almost certain that we’ll see multiple disclosures in 2024 of sizable data breaches that stemmed from the misconfiguration of connected, third-party SaaS applications.

SaaS is clearly ubiquitous, and yet many organizations still struggle with security. Security teams often don’t have visibility into third-party applications.

Enterprise Strategy Group research shows that 39% of organizations have already suffered data loss of cloud-resident sensitive data, while an additional 20% suspect that they have. SaaS applications were the target for 42% of organizations that suffered or suspected a cloud data loss event.

Notably, the most common contributing factor to these incidents wasn’t malware or advanced adversaries, but SaaS service misconfiguration – cited by 33% of organizations as the cause. In all, organizations using SaaS applications will probably have their confidence tested this upcoming year.”

Joseph Thacker, Sr. Offensive Security Engineer at AppOmni: “AI will ramp up significantly”

“AI security is going to get increasing focus in 2024 and AI being used for security will also ramp up. There will be numerous startups, potentially hundreds, focused on AI security. Also, every major application will incorporate AI features, a shift that will inevitably introduce new vulnerabilities.

Startups will appear for many domains. There will be AI SOC analysts who will handle alert triage, AI Ethical Hackers tasked with uncovering vulnerabilities, AI Code Review tools capable of identifying software bugs and suggesting automated fixes, and AI Social Engineering toolkits designed to enhance phishing efforts to name just a few.

Allowing AI systems to make decisions is convenient. That means many products will incorporate it without adequate security testing. We will see where this leads really soon.”

Final thoughts and recommendations for improving SaaS security resilience

2024 could prove to be interesting like 2023 – full of sizable disclosures, AI-driven breaches, third-party attacks, and misconfigurations. Unfortunately for security professionals, overconfidence appears to create widespread under-preparation for SaaS that could leave organizations vulnerable.

Next year could place the industry in a defensive position. Significant, unguarded attack surfaces are likely to attract opportunistic attacks involving SaaS that impact millions of consumer and organizational profiles. Proactively addressing cybersecurity risks will require informed, decisive action.