JPMorgan Chase’s CISO, Patrick Opet, recently raised some serious concerns about the software-as-a-service (SaaS) model. He believes it’s becoming a ticking time bomb for cyber attackers, posing risks that could shake the global economy. In an open letter aimed at third-party suppliers, he criticized many software companies for making SaaS the only option for delivering software. This setup forces customers to depend heavily on these providers, piling all the risk onto them.
While SaaS can be efficient, Opet pointed out that it amplifies any existing weaknesses. This means that if something goes wrong, the fallout could be massive. He shared that JPMorgan Chase has encountered various incidents with third-party providers over the past three years. These situations forced the bank to act quickly, isolating compromised suppliers and allocating significant resources to address the threats.
He didn’t name specific suppliers, but he expressed frustration that things seem to be getting worse. He’s noticed recurring issues like weak authentication security and vendors accessing customer systems without proper consent. The introduction of automation and AI only complicates these vulnerabilities. He specifically mentioned that threat actors, particularly from China, are increasingly targeting organizations that have deep access to sensitive customer data.
Opet proposed a three-step plan for SaaS providers to tackle these issues before they escalate further. He urged them to prioritize cybersecurity in the design phase, enhance security architectures to better manage risks, and improve collaboration to combat abuses of interconnected systems.
Mark Townsend from AcceleTrex echoed Opet’s frustrations, saying customers feel that IT suppliers aren’t doing enough to safeguard their products. He noted that while vendors often present annual security reports, numerous events can occur in a year that impact security. He emphasized the need for more transparency between vendors and consumers regarding how data is protected.
Donato Capitella and Nick Jones from Reversec highlighted specific areas where SaaS applications often fall short. They pointed out issues like accessing single sign-on features only through higher-priced plans and the lack of comprehensive audit logging, making it harder for organizations to detect and respond to attacks.
They hope Opet’s letter will push SaaS vendors to create more robust, secure products that put security first for their customers.