As security and compliance teams assess the fallout and lessons learned from the SolarWinds breach, they’ll need to re-evaluate their security practices and controls. This is particularly true when it comes to SaaS applications, such as Microsoft 365, and the 3rd party vendors that connect to them. Understanding how to effectively secure SaaS is challenging even for the most proactive teams. Among the most common security recommendations, and in some cases requirements, are pentests.
Pentests, or penetration tests, are simulated attacks designed to gauge the security of a system. They are typically performed on a periodic basis one or more times per year and can be done either by an internal team or by an external firm. Regular pentesting has long been recognized as a security and compliance best practice (and sometimes even a compliance requirement) when it comes to assessing the security of an organization’s infrastructure and vendors. While periodic penetration tests do offer significant value to security organizations, they also have some notable drawbacks that must be accounted for with compensating controls and technical oversight. Overall, the pentesting approach - on its own - is not adequate to consistently maintain the security of SaaS environments over time.
Most of the companies we work with are up to date with their pentests at the start of their engagements, but we still find critical security issues that need to be addressed. Unfortunately, pentests simply weren’t designed to catch all of the issues that are common in a modern enterprise SaaS environment including:
- Installed third-party Vendors that have not gone through proper vendor approval and/or security review but functionally now have sensitive data access
- Security-relevant platform misconfigurations which do not cause classic web application vulnerabilities, but which expose sensitive data or processes too broadly
- Over-provisioned users resulting in excess entitlements to data access or business processes
- Incorrectly configured SaaS-based portals or other public data sharing vectors that expose internal data to external parties
- Lack of monitoring or compensating controls for actions that privileged users can take due to configurations in SaaS applications, but should not be doing based on business policies
- Incorrectly configured monitoring and detection capabilities leading to blind spots for security teams when it comes to SaaS.
So why does this happen? Here are the reasons that SaaS security vulnerabilities are so often missed by penetration tests:
Manual Processes are Pricey and Yield Mistakes
Penetration tests are typically conducted manually by security consulting firms or in-house security teams. This means that the quality of the pentest can vary from firm to firm, or even from team to team.
The manual nature of pentests also means that they are expensive and require a significant time commitment. The average consulting cost of pentesting for a medium to large-size organization is $10,000 – $45,000. From a time perspective, an end-to-end pentest process – including scoping, engagement, findings evaluation and remediation – can take several weeks or longer. Resources are typically required from multiple teams including the assessment team, the vendor, the internal security team, and often collaboration with internal non-security teams to ensure access or provide sandbox testing environments.
It’s Outdated the Day After Completion
In systems that change frequently, a penetration test is outdated as soon as the day after it is completed. Penetration testing is by its very nature a point-in-time activity; the findings, or lack thereof, only apply to a snapshot in time. When considering enterprise SaaS deployments and third-party cloud connections to or between them, the point-in-time nature of pentests is especially problematic. Furthermore, the fact that these environments are constantly changing due to vendor updates and the addition of new users means that continuous monitoring is necessary to maintain a secure SaaS environment.
A Defined Scope and Limited Access
Large portions of infrastructure, systems, and functionality are overlooked during penetration tests, often due to cost per day or time restrictions. Limitation of access in which a penetration test is completed from an unauthenticated perspective can result in missed vulnerabilities. There is a heavy reliance on reconnaissance and enumeration tools. And while the popularity, complexity, and effectiveness of these tools have increased over time, they will never provide the same level of coverage that a SaaS Security Posture Management solution provides.
There’s a Lack of SaaS Expertise
As enterprise SaaS platforms mature, they grow in depth and complexity. Traditional pentesters may not be experts on all the SaaS products in your enterprise, and the scope of penetration tests often does not include SaaS products. Possessing full knowledge of a SaaS product’s configuration, permission assignments, and integrations ensures that no stone is left unturned.
Many of the companies we work with have significant security vulnerabilities that were either introduced in the days and weeks following their pentest, or that were missed by their pentest altogether. In fact, our data found that over 95% of enterprises, most of which have been recently pentested, have external users that are over-provisioned. This gives them access to sensitive SaaS data intended only for internal users. Furthermore, over 55% of these enterprises have sensitive data that is available to the anonymous internet. For these organizations, pentests simply haven’t provided the full scope of information needed to keep their SaaS environments secure.
To capture risk more comprehensively over time, pentests should give way to, or at least be combined with, automated technology that offers continuous monitoring throughout an enterprise SaaS environment. In order to create a wide-ranging SaaS security process, companies should use tools that cover all data access points, not just access through the company network, and continuously monitor users, data access and configurations. This enables security teams to have ongoing visibility of the internal and external users who have access to data, including which third-party applications are connected to their SaaS environment.
