Cloud Security Alliance introduces first SaaS security standard
An industry-first framework for SaaS security has been published by the Cloud Security Alliance, with AppOmni among its lead authors, addressing a notable gap in technical security standards for SaaS applications.
The SaaS Security Capability Framework (SSCF) sets out a minimum set of technical security controls which SaaS applications should provide, particularly those under the responsibility of end-user organisations under the Shared Security Responsibility Model. This development follows a series of attacks targeting prominent SaaS platforms, including Salesforce applications, which recently prompted warnings from the FBI.
Critical gap exposed
Several high-profile attacks have highlighted vulnerabilities in the SaaS ecosystem, affecting over 700 organisations. Threat groups such as UNC6040 and UNC6395 have exploited weaknesses unique to SaaS platforms, including issues with identities, permissions, and the integrations between applications. These incidents underscore that adversaries are leveraging the very tools intended to streamline business operations.
Previous commentary from AppOmni has emphasised the importance of extending Zero Trust frameworks to SaaS environments. While these principles are established in traditional on-premises and infrastructure-as-a-service environments, many SaaS applications lack the necessary controls to enable their adoption, leaving security teams to manage environments without adequate mechanisms.
Details of the framework
The SSCF addresses shortcomings in current risk management processes by defining clear, customer-facing security controls for SaaS applications, going beyond generic industry certifications such as SOC 2 and ISO 27001. By standardising these capabilities, the framework aims to reduce inconsistent implementations, duplicated efforts, and potential security risks across the SaaS landscape.
According to the Cloud Security Alliance, the SSCF offers tangible benefits for a variety of stakeholders. Vendor assessment processes can become more efficient for Third-Party Risk Management teams, while SaaS vendors benefit from reduced need to address bespoke security questionnaires. For security engineers, the framework acts as a checklist to ensure critical controls are in place when evaluating or deploying SaaS products.
Brian Soby, AppOmni co-founder & CTO, and SSCF lead author, commented, "The SaaS Security Capability Framework represents a significant step forward for the industry. It provides a clear, consistent, and much-needed standard that will help organizations move past outdated risk assessments and truly build Zero Trust principles into their SaaS environments. It was an honor to contribute alongside an incredible group of industry leaders to help bring this framework to life."
A phased, risk-based approach is recommended for adoption, with the framework's guidelines designed to flex according to the needs and operating contexts of different organisations. Key controls reside in Change Control and Configuration Management, Identity and Access Management (IAM), and Logging and Monitoring (LOG) domains. These help organisations establish secure baselines and detect anomalies or overly permissive access within their SaaS environments.
Implementation challenges
On the vendor side, the challenge lies in making the full suite of security controls available within their SaaS applications. For customers, effective utilisation of these controls is essential and requires adapting them to specific organisational requirements. Centralising security data from multiple SaaS sources remains complex, but the framework encourages use of emerging solutions, such as SaaS Security Posture Management, to address these issues.
Analysis of recent attacks suggests that required controls in the framework could have mitigated or prevented incidents. IAM-SaaS-19 (Third-party Allowlisting) could have obstructed malicious third-party integrations, while IAM-SaaS-06 (NHI Governance) would have flagged unauthorised non-human identities. LOG-SaaS-01 (Logged Events Scope) would have facilitated rapid detection and improved incident response through comprehensive forensic data.
SaaS audit log challenges
Audit logging remains a significant hurdle for SaaS security, given the wide variation in APIs and non-uniform terminology across different platforms. This hampers security teams' ability to maintain consistent visibility and respond swiftly to potential incidents. To address this, AppOmni's Threat Detection team has released an open source SaaS Event Maturity Matrix to standardise and catalogue event logging capabilities, thereby enhancing detection and response activities for security professionals.
GenAI and forthcoming considerations
While generative AI applications are not explicitly covered in the current version of the SSCF, security best practices suggest that these tools should be managed in line with existing controls around identity, access, logging, and data transparency. AppOmni recommends treating GenAI applications as a new category of non-human identities, subject to the same principles of least privilege and comprehensive logging.
And Lefteris Skoutaris, Associate Vice President, GRC Solutions, said, "The SSCF addresses a critical gap in SaaS security by establishing the first industry standard for customer-facing security controls. This framework exemplifies CSA's mission to unite diverse industry partners (from SaaS providers to enterprise customers) in creating practical solutions that translate compliance requirements into actionable security capabilities that organizations can actually configure and enforce."
The Cloud Security Alliance positions the SSCF as an initial step toward more comprehensive SaaS security standards and practices, with the intention of future updates and enhancements as the industry matures and requirements evolve.
