The 2023 State of SaaS Security Report

Originally published by Valence.

Written by Adrian Sanabria.

There’s something I love about putting together a big annual security report. The combination of data insights and industry trends is an opportunity to present a snapshot of the big picture. There’s the luxury of time we don’t have with a single blog post and a depth of exploration we can’t go into with an infographic or a time-limited podcast.

It feels a bit silly to wax romantic about an annual security report, but I love storytelling, and at the core of a report like this is a chance to tell a story. The day the Verizon DBIR is released every year feels a bit like Christmas morning to me. While the Verizon DBIR is an order of magnitude more expansive (a team of half a dozen spends an entire year on it), I’m very proud of what we’ve put together here, especially as it is laser-focused on a high-risk threat vector that doesn’t receive enough attention – SaaS applications. Our report is the result of teamwork and deep SaaS expertise, with contributions from every level: from our product and security research teams collecting the raw data from dozens of real-life customer deployments to our CEO and Co-founder, Yoni, providing his industry knowledge and detailed feedback on content and style.

SaaS Adoption Is Exploding

Constant tech innovation keeps security teams very busy, which is critical to combat evolving threats and clever threat actors armed with new tools like generative AI. SaaS, especially, is arguably one of the biggest and most impactful tech movements of the last 20 years, but it happened so gradually, it’s easy to take for granted. It contributed to or led to trends like:

• Less reliance on in-house and colo data centers
• Less reliance on IT staff for software needs
• The decentralization of enterprise software (business users evaluating, purchasing, and managing tools, independent of the IT team)
• The ‘consumerization’ of enterprise software
• The mobile app explosion that cemented the design formula for the modern smartphone
• The remote work movement, which exploded during Covid.
• Near ubiquitous availability of APIs and API-first product strategy philosophies
• Low-to-no code platforms
• Some of the most massive and accelerated market growth ever seen, funded largely by venture capital

The SaaS Report Findings

This year’s Valence Security report takes you through how we got here, how cybercriminals are responding to the ‘saasification’ of the digital office, and what we’ve learned in our first few years helping our customers get their SaaS messes under control. Here are a few key things we’ve learned, that you can learn more about in the full report:

1. Employees love sharing data. It’s easy and convenient. However, an average of 90% of shared resources are shared indefinitely and aren’t being actively used.
2. Following this same trend, 51% of an organization’s integrations are inactive, on average. It’s easy for employees to give a third-party access to SaaS platforms, and just as easy for them to forget that they’ve done so.
3. There are integrations, and then there are tenant-wide integrations. Imagine giving a third party full access to your entire digital office. All email. All calendar access. All files. The ability to create, disable, or delete any information or accounts. Now consider that the average number of tenant-wide integrations is 21 per organization! Nearly two dozen third parties with full control over an organization’s employees and all their resources.
4. Organizations have always had a hard time with ex-employee accounts and access. Fear of deleting critical data and integrations attached to accounts. Fear of breaking workflows dependent on them. It’s no surprise that 1 in 8 employee accounts are dormant but still active. What do they have access to? Are new security controls applied to them?
5. It’s easy for misconfigurations to go unseen. Maybe everything was secure when that big SaaS security project was completed, but did it stay that way? How many exceptions have been made between then and now? For example, even if as few as 1% of employees don’t have MFA enabled, that’s more than enough for an attacker to use a cred-stuffing attack to gain a foothold.

In the report, you’ll also find:

• 5 key types of SaaS breaches, how they happen, and real-world examples
• 14 SaaS security recommendations, based on the lessons we’ve learned from our customers
• 3 big predictions about the near-term future of SaaS security and the trends that will impact it the most

Let's Fortify our SaaS Defenses Together

The 2023 Valence State of SaaS Security report compiles our perspective on SaaS security, the latest threats, data from dozens of real companies, and finally, our recommendations and predictions for this market. It is a perfect primer for anyone wanting to better understand SaaS security challenges and how to solve them.