Top 3 Takeaways from the SaaS Application Risk Report

Spin.AI has recently released its SaaS Application Risk Report, detailing findings from SpinOne, its SaaS Security platform. It details the risks associated with SaaS applications and browser extensions connected to enterprise SaaS environments with access to critical or sensitive data. Note the following key takeaways, or click here to download the full report.

1. Over 75% of SaaS applications are considered medium or high-risk applications

SaaS applications are common in today’s hybrid workforce, requiring thorough risk assessments for data access. Manual assessments can take SecOps teams up to two weeks per app, making automation crucial for efficient evaluations, especially with numerous apps connected to Google Workspace or Microsoft 365.

The report revealed that 35% of apps with OAuth permissions to Google Workspace or Microsoft 365 are high-risk, including 24% for Microsoft and 35% for Google environments. Considering both high (34.63%) and medium risk (41.11%), over 75% of SaaS applications pose significant threats to data stored in these platforms.

Several factors contribute to high application risk levels. First, enterprises struggle to inventory, assess, and control application sprawl, as assessments need continuous tracking of changing vulnerabilities. Second, OAuth abuse allows malicious applications to impersonate legitimate ones, enabling data theft or manipulation. Lastly, organizations may incorrectly assume tools like Microsoft Defender assess all application risks, potentially overlooking security gaps exploitable by risky applications.

2. A large percentage of SaaS applications have high levels of access

The report also illustrates the range of access levels applications can have to SaaS data in enterprise environments, such as Google Workspace. For instance:

• Over 43% can read, compose, send, and permanently delete all user emails in Gmail
• Nearly 46% can see, edit, create, and delete all user Google Drive files

Many applications extend the default Gmail and Google Drive functionality and are granted high-level permissions to manage and extend these popular Google Workspace applications. Unfortunately, these SaaS application extensions and plugins are commonly installed by end-users and necessitate extensive permissions.

3. Risky applications often have high levels of permissions and poor review

Approximately 56% of high-risk applications have extensive permissions, and nearly 39% receive poor marketplace reviews. A key takeaway is organizations often have poor visibility and control over the SaaS applications installed in their environments. These quickly become blind spots for cybersecurity teams.  

Organizations must regularly assess SaaS applications to combat this risk, as SaaS application risk can change over time. This fact is well-illustrated by the recent LastPass breach, where millions of passwords were placed at risk overnight. When risk scores change, companies need the tools and policies to remove risky applications from the organization quickly.

Disrupt SaaS application risks with modern security strategies

Mature organizations adopt a comprehensive approach to third-party SaaS application security, which includes:

• Application Inventory – Maintain a real-time inventory of applications and extensions with access to your environment to understand the operational, security, privacy, and compliance risks they pose.
• Risk Assessments – Conduct ongoing assessments to secure SaaS applications and identify potential security risks, considering data processed, stored, or transmitted through the application.
• Policies – Establish and enforce policies based on third-party risk management frameworks, considering SaaS applications’ dynamic nature, operational use, and business risks and needs.
• Controls – Implement automated controls to allow or block applications based on organizational policies, reducing the workload of security resources and managing the numerous SaaS applications used within organizations.

To effectively mitigate SaaS app risks, businesses must adopt a comprehensive approach to manage the entire risk lifecycle. It involves effectively discovering all SaaS applications connected to the environment and which applications can access which data. It also involves proactive, continuous risk assessments of all connected SaaS apps. Finally, as risk may change over time, organizations must leverage automated risk assessments and modern cybersecurity tools to eliminate the threat. Click here to download the full 2023 SaaS Application Risk Report.