The SaaS business model won. Users, organizations, and entire industries now rely on hundreds of critical cloud applications to power everything from HR to finance to AI. But the same ecosystem that made modern business possible has created a quiet but intensifying security crisis: the lack of security standards across SaaS puts our daily operations in jeopardy.
Today, every vendor plays by their own rules:
- Security settings and permissions differ app to app, making consistent risk management impossible.
- Limited security APIs restrict configuration visibility and worsen posture management.
- Poor logs and data telemetry obscure threats and delay incident investigation and response.
For years, SaaS security has been a one-way street. SaaS vendors cite the shared responsibility model, while customers struggle to secure hundreds of unique applications, each with limited, inconsistent security controls and blind spots.
The emergence of new agentic AI SaaS products makes this imbalance untenable. With no-code and low-code platforms like Glean and n8n, anyone can spin up autonomous agents that read, write, and export data across multiple SaaS environments in nanoseconds. While these agents undeniably boost productivity, they also open the door to data exposure if not properly secured.
SaaS customers are sounding the alarm and demanding greater visibility, guardrails and accountability from vendors to curb these risks. Yet without vendor-provided telemetry, configuration APIs, and consistent controls, rogue AI agents and threat actors can freely turn SaaS supply chains into data exfiltration highways.
One Unsecured SaaS App Hands Attackers the Keys to the Kingdom
OAuth app integrations are the connective tissue linking users, SaaS applications, and AI agents together. However, these pathways sit outside of traditional authentication and privilege safeguards designed for humans, creating a security blind spot. Combined with their overly broad access scopes, a single rogue or compromised OAuth integration could provide attackers with critical system access or enable large-scale data exfiltration before it is detected.
The recent Salesloft supply chain breaches shows how exposed SaaS customers are when third-party vendors are hijacked. In this case, a single compromised vendor (the Drift application) integrated into core systems via OAuth tokens associated with the Drift AI chat agent, gave attackers potential access to over 700 organizations, and allowed them to pivot into Salesforce and Google Workspace instances.
The same cascading risks apply to misconfigured AI agents. We’ve witnessed one agent download over 16 million files while every other user and app combined accounted for just one million. AI agents not only move unprecedented amounts of data, they are often overprivileged. Our data shows 90% of AI agents are over-permissioned in SaaS.
These real-world examples are just the beginning. Trusting your data is safe because it sits inside established apps like Salesforce or Google is not enough. Any connected app is now a doorway to your business secrets. Meaning every SaaS vendor must become a part of your security strategy.
Stronger Security Standards Are Needed from SaaS Vendors
A stronger, continuously monitored SaaS perimeter prevents attackers or rogue agents from sidestepping your defenses. The problem is too many vendors lack the security maturity to help close the gaps.
Since our founding, Obsidian Security has seen the inside of hundreds of SaaS platforms. And the vast majority fall short of even basic security practices. Missing security-minded APIs, incomplete log access, poor security features. These holes aren’t just technical issues, they’re systemic risks. Without standardized, reliable telemetry and controls, the industry remains exposed to attackers exploiting unsecured applications.
To lead this effort, Obsidian Security has joined the Cloud Security Alliance as a lead author of the SaaS Security Capability Framework (SSCF), defining 41 essential security controls across 6 domains. This framework is designed to become the universal benchmark by which SaaS platforms are evaluated.
Having this agreed upon standard will not only solve current security deficiencies, but also help SaaS providers and customers demonstrate compliance with major regulatory and industry frameworks. A unified control baseline reduces duplication across audits, simplifies vendor assessments and ensures that SaaS platforms can meet both security and compliance obligations with greater transparency and consistency.
“The Cloud Security Alliance, in partnership with Obsidian Security and other industry leaders, has released the SSCF, a standardized set of SaaS security capabilities that every SaaS platform should provide to enable organizations to maintain a consistent and reliable security posture across their applications.”
— Lefteris Skoutaris, Associate Vice President, GRC Solutions, Cloud Security Alliance
SaaS Must be Secure by Default
While frameworks like the SSCF are helpful, lasting change requires your help. A united voice from SaaS customers is more likely to solicit stronger security commitments from vendors.
That’s why we’re assembling a cross-industry working group of security leaders dedicated to pushing vendors to adopt these baseline expectations. All are welcome; visit this link to submit your information and receive an invitation to join the group.
In the age of AI and automation, the future of SaaS security will be defined by what we do together. I hope you’ll join us to help make SaaS secure by default.
Khanh Tran, Chief Product Officer, Obsidian Security
