{"id":10760,"date":"2025-05-04T22:01:23","date_gmt":"2025-05-04T22:01:23","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/current-saas-delivery-model-a-risk-management-nightmare-says-ciso\/"},"modified":"2025-05-04T22:01:23","modified_gmt":"2025-05-04T22:01:23","slug":"current-saas-delivery-model-a-risk-management-nightmare-says-ciso","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/current-saas-delivery-model-a-risk-management-nightmare-says-ciso\/","title":{"rendered":"Current SaaS delivery model a risk management nightmare, says CISO"},"content":{"rendered":"

Software <\/p>\n

\n

<\/p>\n

Romolo Tavani – stock.adobe.com<\/p>\n<\/p><\/div>\n

\n

Software JPMorgan Chase security chief Patrick Opet laments the state of SaaS security in an open letter to the industry and calls on software providers to do more to enhance resilience<\/h2>\n<\/div>\n
\n
    \n
  • <\/i><\/li>\n
  • <\/i><\/li>\n<\/ul>\n
    \n

    \"software\n\t\t\t\t\t<\/p>\n

    By<\/span><\/p>\n

      \n
    • \n\t\t\t\t\tAlex Scroxton,
      \n\t\t\t\t\t\tSecurity Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n

      \n\tPublished: 30 Apr 2025 16:07<\/span>\n<\/p>\n<\/div>\n

      \n

      The widely accepted software-as-a-service (SaaS) delivery model contains significant flaws and is \u201cquietly enabling cyber attackers\u201d, introducing widespread vulnerabilities that could undermine the global economic system, according to a leading financial services chief information security officer (CISO).<\/p>\n

      In an open letter to third-party suppliers, JPMorgan Chase CISO Patrick Opet this week criticised software companies for making SaaS the default, and often the only, format in which software can now be delivered, trapping customers into relying on service providers and concentrating risk into these organisations.<\/p>\n

      He said that while this model can be efficient and innovative, it is now clear that it \u201cmagnifies the impact of any weakness \u2026 creating single points of failure with potentially catastrophic system-wide consequences\u201d.<\/p>\n

      \u201cAt JPMorganChase, we\u2019ve seen the warning signs first-hand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers and dedicating substantial resources to threat mitigation,\u201d wrote Opet.<\/p>\n

      Although he did not point the finger at the suppliers involved in any of the many widespread supply chain incidents that have occurred in the past few years,\u00a0Opet lamented that the problem seemed to be getting worse rather than better, with software suppliers failing on multiple other issues \u201cintrinsic\u201d to SaaS, such as not securing vulnerable authentication tokens, giving themselves privileged access to customer systems without appropriate consent or transparency, and inviting downstream fourth-party suppliers into their systems.<\/p>\n

      Automation and artificial intelligence (AI) are further compounding these problems, he added, and all of these weaknesses are well-known to adversaries, borne out by changes in tactics among Chinese threat actors, who increasingly favour targeting organisations with deep access into their customer bases.<\/p>\n

      \n

      Software <\/i>Three-step plan<\/h2>\n

      In his missive, Opet set out three core steps SaaS providers should be taking to address these issues before they become insurmountable.<\/p>\n

      He called on the industry to prioritise cyber during the design phase, building in or enabling security features by default; modernise security architectures to optimise SaaS integration in such a way that mitigates risk; and collaborate better to halt threat actor abuse of connected systems.<\/p>\n

      Mark Townsend, co-founder and chief technology officer at AcceleTrex, a startup specialising in tech marketing and referrals, said Opet\u2019s letter spoke to wider frustrations among customers that IT suppliers are not doing enough to ensure the security of their products and services.<\/p>\n

      \u201cThe rush to stay ahead of the competition has led to several issues over the years. A balance needs to be made and demonstrated to the market,\u201d said Townsend.<\/p>\n

      \u201cWhen buying SaaS, you\u2019re buying a system deployed by a vendor that you are trusting your data to. Many will provide an annual pen test report and demonstrate alignment with SOC2 and other standards, but as the author points out, a lot happens within these apps, and the infrastructure that enables them, over the course of a year.<\/p>\n

      \u201cThe security of these systems is fairly opaque and requires a bit more transparency between the vendor and the consumer as to how the data is secured.\u201d<\/p>\n

      Townsend added: \u201cYou can\u2019t be too prescriptive without giving the vendors an easy out. It inspires constructive conversations that I think are necessary and important to have.\u201d<\/p>\n

      Reversec\u2019s Donato Capitella and Nick Jones, principal consultant and head of research respectively, said Opet rightly highlighted critical challenges faced by the industry in regard to the adoption of SaaS, notably the concentration of risk in a few big providers and reduced visibility making proactive incident detection and response much harder for customers.<\/p>\n

      \u201cAt a practical level, there are two very common areas where SaaS applications fail to provide adequate security. The first is gating single sign-on functionality behind additional cost or the \u201centerprise\u201d price plans, forcing users to make a trade-off between adequate identity security and cost,\u201d they told Computer Weekly in emailed comments.<\/p>\n

      \u201cThe second is comprehensive, high-fidelity audit logging, which is often also gated behind expensive plans or add-ons, if available at all. These limitations hinder an organisation\u2019s ability to prevent, detect and respond to attacks against their SaaS estate.\u201d<\/p>\n

      Capitella and Jones added: \u201cWe hope that SaaS vendors see this open letter as a call to arms and work towards providing a hardened, secure-by-default experience to their consumers.\u201d<\/p>\n<\/section>\n<\/section>\n

      \n

      \n\t\t\t<\/i>Read more on Web application security<\/h4>\n
        \n
      • \n\t\t\t\t\t<\/p>\n
        CISA: BeyondTrust breach affected Treasury Department only<\/h5>\n
        \n

        \"software\n\t\t\t\t\t\t\t\t\t<\/p>\n

        By: Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<\/li>\n

      • \n\t\t\t\t\t<\/p>\n
        US Treasury incident a clear warning on supply chain security in 2025<\/h5>\n
        \n

        \"software\n\t\t\t\t\t\t\t\t\t<\/p>\n

        By: Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<\/li>\n

      • \n\t\t\t\t\t<\/p>\n
        Treasury Department breached through BeyondTrust service<\/h5>\n
        \n

        \"software\n\t\t\t\t\t\t\t\t\t<\/p>\n

        By: Rob\u00a0Wright<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<\/li>\n

      • \n\t\t\t\t\t<\/p>\n
        HPE taps GenAI to bolster AIOps on Aruba Networking Central<\/h5>\n
        \n

        \"software\n\t\t\t\t\t\t\t\t\t<\/p>\n

        By: Joe\u00a0O\u2019Halloran<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<\/li>\n<\/ul>\n<\/section>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

        Software Romolo Tavani – stock.adobe.com Software JPMorgan Chase security chief Patrick Opet laments the state of SaaS security in an<\/p>\n","protected":false},"author":7282,"featured_media":10761,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10760","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/10760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=10760"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/10760\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/10761"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=10760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=10760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=10760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}