{"id":8799,"date":"2026-07-17T09:00:00","date_gmt":"2026-07-17T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8799"},"modified":"2026-07-17T09:00:00","modified_gmt":"2026-07-17T09:00:00","slug":"the-saas-blind-spot-why-security-teams-cant-get-inside-their-own-apps","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8799","title":{"rendered":"The SaaS blind spot: Why security teams can\u2019t get inside their own apps"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">Most organizations I work with have invested heavily in cloud security. They have endpoint detection tools, SIEM platforms, cloud security posture management, and skilled security teams running on a 24\/7 shift. And yet, when I ask them a simple question \u2014 who has admin access in your Salesforce tenant right now? \u2014 The room goes quiet. Nobody knows. Not because they are negligent. Because they genuinely cannot see it.<\/p>\n<p class=\"wp-block-paragraph\">That is the SaaS blind spot.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\"><em>Figure 1: The Blind Spot and what SSPM covers.<\/em>\n<p class=\"imageCredit\">Ashish Mishra<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\"><a><\/a>SaaS: Numbers speak volumes<\/h2>\n<p class=\"wp-block-paragraph\">I ask this question in almost every engagement: how many SaaS applications does your organization run? The answers I get range from 30 to maybe 50. The real number, once someone counts, is usually north of three hundred. <a href=\"https:\/\/appomni.com\/press-releases\/new-state-of-saas-security-report-2024\/\">AppOmni\u2019s 2024 research<\/a> put it even higher \u2014 49% of Microsoft 365 organizations believed they had fewer than ten apps connected to their tenant when the actual average was over a thousand.<\/p>\n<p class=\"wp-block-paragraph\">Here is the part that concerns me more than the count. Of all those applications, security teams have clear sight into maybe one in 10. The rest \u2014 where your customer records live, where your source code sits, where your financial reports get shared \u2014 nobody is watching. Not because the team is careless. Because the tools they have were never built to look there.<\/p>\n<p class=\"wp-block-paragraph\">The following incidents will discuss these realities.<\/p>\n<h3 class=\"wp-block-heading\"><a><\/a>Salesforce in 2023<\/h3>\n<p class=\"wp-block-paragraph\">In April 2023, <a href=\"https:\/\/krebsonsecurity.com\/2023\/04\/many-public-salesforce-sites-are-leaking-private-data\/\">KrebsOnSecurity<\/a> broke the story \u2014 Salesforce Community sites were quietly leaking sensitive data belonging to government agencies, banks, and healthcare providers. No sophisticated attack technique. Just the right API endpoint and a misconfigured guest user profile. The exposed records included Social Security numbers, account details, and home addresses. Salesforce was clear in its response: this was not a platform vulnerability. Administrators had misconfigured guest access policies, and nobody had checked.<\/p>\n<p class=\"wp-block-paragraph\">Guest user profiles in Salesforce Communities can be granted access to data records. When administrators set those permissions too broadly \u2014 often without realizing it \u2014 unauthenticated external users can query that data straight through the API. Over 150,000 companies were potentially sitting in that window before anyone raised the alarm.<\/p>\n<p class=\"wp-block-paragraph\">The pattern is always the same. Configuration made under time pressure, default set slightly too permissive, nobody looks at it again. SaaS applications accumulate these quiet exposures over months and years.<\/p>\n<h3 class=\"wp-block-heading\"><a><\/a>GitHub in 2022<\/h3>\n<p class=\"wp-block-paragraph\">In April 2022, <a href=\"https:\/\/github.blog\/news-insights\/company-news\/security-alert-stolen-oauth-user-tokens\/\">GitHub disclosed<\/a> that an attacker had used stolen OAuth tokens \u2014 issued to Heroku and Travis CI \u2014 to access and download private repository contents from dozens of organizations, including npm. GitHub\u2019s own systems were never touched. The tokens came from third-party applications that users had authorized to connect to their accounts, and those applications had been quietly compromised.<\/p>\n<p class=\"wp-block-paragraph\">The entry point was not GitHub. It was not even the organizations that lost their data. It was the CI\/CD tools those organizations had connected to GitHub months or years earlier \u2014 tools that had been granted broad read and write permissions that were never revisited.<\/p>\n<p class=\"wp-block-paragraph\">That is the OAuth problem in plain terms. The moment you authorize a third-party application; its security posture becomes your problem too. Most organizations have dozens of these connections sitting open across their SaaS platforms \u2014 and no one reviewing them.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\"> width=&#8221;1024&#8243; height=&#8221;496&#8243; sizes=&#8221;auto, (max-width: 1024px) 100vw, 1024px&#8221;&gt;<em>Figure 2: The 2022 GitHub breach chain.<\/em>\n<p class=\"imageCredit\">Ashish Mishra<\/p>\n<\/div>\n<h3 class=\"wp-block-heading\"><a><\/a>Microsoft in 2023<\/h3>\n<p class=\"wp-block-paragraph\">The Microsoft case from 2023 is the one I bring up when people assume this only happens to careless organizations. <a href=\"https:\/\/www.wiz.io\/blog\/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers\">Wiz Research<\/a> found that Microsoft\u2019s own AI team had exposed 38TB of internal data \u2014 private keys, passwords, and more than 30,000 internal Teams messages \u2014 through a single misconfigured Azure access token. The token was supposed to share one training dataset on GitHub. Instead, it opened an entire storage account to anyone who found the link.<\/p>\n<p class=\"wp-block-paragraph\">What gets me about this one is the timeline. That token had been sitting there since October 2021. Nearly two years, inside Microsoft, before anyone caught it. If a team with that level of resources and expertise can leave a door open for two years, the idea that \u201cwe\u2019d notice\u201d is not much of a security strategy. And it\u2019s worth noting \u2014 this wasn\u2019t a database leak. It was Teams messages. The same collaboration tools your employees use every day are just as exposed as the platforms holding structured records.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Why traditional security tools miss this<\/h2>\n<p class=\"wp-block-paragraph\">Cloud Security Posture Management tools \u2014 CSPM \u2014 are designed to monitor infrastructure configuration: virtual machines, storage buckets, network rules, and IAM policies at the infrastructure level. They do an acceptable job at that layer. What they do not do is look inside SaaS applications. <a href=\"https:\/\/www.cisa.gov\/resources-tools\/services\/secure-cloud-business-applications-scuba-project\">CISA\u2019s Secure Cloud Business Applications (SCuBA) guidance<\/a> specifically calls out the gap between infrastructure security tools and SaaS-layer visibility as one of the most under addressed areas in enterprise cloud security.<\/p>\n<p class=\"wp-block-paragraph\">This is the gap SSPM was built to close. Instead of watching infrastructure, it watches the configuration of the SaaS applications themselves \u2014 permissions, sharing settings, who has access to what. And the distinction is not just academic. Infrastructure misconfigurations tend to expose systems. SaaS misconfigurations tend to expose data \u2014 directly, quietly, and often without any detectable attack activity at all.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\"><em>Figure 3: The six core visibility capabilities of SSPM<\/em>.\n<p class=\"imageCredit\">Ashish Mishra<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\"><a><\/a>What security teams should do now<\/h2>\n<p class=\"wp-block-paragraph\">You do not need to deploy a full SSPM platform tomorrow to start closing the gap. There are practical steps that move the needle immediately.<\/p>\n<p>Audit connected OAuth applications across your primary SaaS platforms. Revoke any integration that cannot be justified by a current business need.<\/p>\n<p>Common source of public data exposure: Review guest and external sharing permissions in Salesforce Communities and Microsoft SharePoint.<\/p>\n<p>Check whether legacy authentication protocols are disabled in Microsoft 365. Legacy auth bypasses MFA and becomes a potential entry point in enterprise environments.<\/p>\n<p>Establish a quarterly access review for high-privilege accounts in SaaS applications. Most organizations run annual reviews at best \u2014 that is not frequent enough for platforms that change configuration daily.<\/p>\n<p>A map of which SaaS applications hold sensitive data, and which have no security team ownership at all. That list will be longer than you expect.<\/p>\n<p class=\"wp-block-paragraph\">The core issue is not that organizations are careless. It is that they have built security programs around the perimeter and the infrastructure, and SaaS applications grew up inside that perimeter without ever being brought into scope. The data is there. The access is there. The misconfiguration is often there too. What has been missing is the visibility to see it.<\/p>\n<p class=\"wp-block-paragraph\">SSPM closes that gap. But even before a formal tool is in place, simply asking the question \u2014 what can the applications we already run see and share? \u2014 is a meaningful first step. In my experience, the answer surprises almost every organization that takes the time to look.<\/p>\n<p class=\"wp-block-paragraph\"><strong>This article is published as part of the Foundry Expert Contributor Network.<\/strong><br \/><a href=\"https:\/\/www.cio.com\/expert-contributor-network\/\"><strong>Want to join?<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Most organizations I work with have invested heavily in cloud security. They have endpoint detection tools, SIEM platforms, cloud security posture management, and skilled security teams running on a 24\/7 shift. And yet, when I ask them a simple question \u2014 who has admin access in your Salesforce tenant right now? \u2014 The room goes [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8800,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8799","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8799"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8799"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8799\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8800"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}