Pentests Often Miss 6 Critical SaaS Security Issues. Here’s Why.

This blog was originally published by AppOmni here.

Written by Tim Bach, Vice President of Engineering, AppOmni.

As security and compliance teams assess the fallout and lessons learned from data breaches, they’ll need to re-evaluate their security practices and controls. This is particularly true when it comes to SaaS applications, such as Microsoft 365, and the third-party vendors that connect to those applications.

Regular penetration testing, or pentesting, has long been recognized as a security and compliance best practice (and sometimes even a compliance requirement) when it comes to assessing the security of an organization’s infrastructure and vendors. While pentests do offer significant value to security organizations, they also have some notable drawbacks that must be accounted for with compensating controls and technical oversight.

Most of the companies we work with are up-to-date with their pentests at the start of their engagements, but we still find critical security issues that need to be addressed. Unfortunately, pentests simply weren’t designed to catch all of the issues that are common in a modern enterprise SaaS environment, including:

1. Installed third-party Vendors that have not gone through proper vendor approval and/or security review but functionally now have sensitive data access
2. Security-relevant platform misconfigurations which do not cause classic web application vulnerabilities, but which expose sensitive data or processes too broadly
3. Over-provisioned users resulting in excess entitlements to data access or business processes
4. Incorrectly configured SaaS-based portals or other public data sharing vectors that expose internal data to external parties
5. Lack of monitoring or compensating controls for actions that privileged users can take due to configurations in SaaS applications, but should not be doing based on business policies
6. Incorrectly configured monitoring and detection capabilities leading to blind spots for security teams when it comes to SaaS.

So why does this happen? Here are the reasons that SaaS security vulnerabilities are so often missed by penetration tests.

Manual Processes Are Pricey And Yield Mistakes

Penetration tests are typically conducted manually by security consulting firms or in-house security teams. This means that the quality of the pentest can vary from firm to firm, or even team to team.

The manual nature of pentests also means that they are expensive and require a significant time commitment. The average consulting cost of pentesting for a medium to large-size organization is $10,000 – $45,000. From a time perspective, an end-to-end pentest process – including scoping, engagement, findings evaluation, and remediation – can take several weeks or longer. Resources are typically required from multiple teams including the assessment team, the vendor, the internal security team, and often collaboration with internal non-security teams to ensure access or provide sandbox testing environments.

Pentests Are Outdated The Day After Completion

In systems that change frequently, a penetration test is outdated as soon as the day after it is completed. Penetration testing is by its very nature a point-in-time activity; the findings, or lack thereof, only apply to a snapshot in time. When considering enterprise SaaS deployments and third-party cloud connections to or between them, the point-in-time nature of pentests is especially problematic. Furthermore, the fact that environments are constantly changing due to vendor updates and the addition of new users means that continuous monitoring is necessary to maintain a secure SaaS environment.

Defined Scope And Limited Access Results In Missed Vulnerabilities

Large portions of infrastructure, systems, and functionality are overlooked during penetration tests, often due to cost per day or time restrictions. In addition, vulnerabilities can be missed because of access limitations. There is a heavy reliance on reconnaissance and enumeration tools. And while the popularity, complexity, and effectiveness of these tools have increased over time, they will never provide the same level of coverage that a SaaS Security Management solution delivers.

There’s A Lack Of SaaS Expertise

As enterprise SaaS platforms mature, they grow in depth and complexity. Traditional pentesters may not be experts on all the SaaS products in your enterprise, and the scope of penetration tests often do not include SaaS products. Possessing full knowledge of a SaaS product’s configuration, permission assignments, and integrations ensures that no stone is left unturned.

Many of the companies we work with have significant security vulnerabilities that were either introduced in the days and weeks following their pentest, or that were missed by their pentest altogether. In fact, our data found that more than 95% of enterprises, most of which have been recently pentested, have external users who are over-provisioned. This gives them access to sensitive SaaS data intended only for internal users.

Furthermore, more than 55% of these enterprises have sensitive data that is available to the anonymous internet. For these organizations, pentests simply haven’t provided the full scope of information needed to keep their SaaS environments secure.

To more comprehensively capture risk over time, pentests should give way to, or at least be combined with, automated technology that offers continuous monitoring. This enables security teams to have ongoing visibility into the internal and external users who have access to data, including which third-party applications are connected to their SaaS environment.

About the Author

Tim Bach is the Vice President of Engineering at AppOmni. His career as a security practitioner has focused on security engineering initiatives that make best-in-class security accessible and usable to teams of all sizes and industries. Before joining AppOmni, Tim held security engineering roles at Apple and Salesforce. At Salesforce, Tim led the security team that designed and developed solutions to secure the AppExchange ecosystem of apps and partners. He started his career as a penetration tester.