An error in the SaaS platform of an S&P 500 company leaks data over the internet. The news of a configuration error found in nearly 70% of ServiceNow instances was reported Wednesday by AppOmni, a SaaS security provider.
According to AppOmni, the incorrect configuration resulted from a combination of customer -managed configurations and excessive granting of permissions to guest users. ServiceNow has more than 25,000 customers, most of whom have 50 to 200 employees and have revenues in the range of $ 1 million to $ 10 million.
AppOmni explained in a news release that these types of misconceptions are common on major SaaS platforms because of the complexity that inevitably comes with the high level of functionality, flexibility, and extensibility of SaaS.
“This type of issue is not limited to ServiceNow,” AppOmni CEO Brendan O’Connor told CSO. “We’re seeing major data exposures across many SaaS platforms,” he said. “We’ve seen an increase in attacks over the past few weeks on many SaaS applications.”
SaaS applications do not get adequate security scrutiny
Incorrect configurations can occur during the initial phase of implementation of a SaaS platform, when users or settings change, or as part of the regular rhythm of SaaS updates that can affect current configurations, AppOmni explains, to develop SaaS Security Analyzer, a free web application that will determine if a ServiceNow instance has this incorrect configuration.
O’Connor said his company is working with ServiceNow to clear up the problem. However, he added, “We strongly advise ServiceNow customers to manually check this issue themselves.”
“SaaS applications, in general, aren’t getting the security scrutiny they need,” O’Connor said. “Most customers think the cloud provider manages everything for them. They don’t understand the shared responsibility model, and what their obligations are in protecting their data and properly configuring and using SaaS. “
Extreme digital change is contributing to security problems
O’Connor compared SaaS errors to previous problems with AWS S3 buckets. “It’s not a software flaw in the cloud provider,” he said. “It’s a common pattern where customers, generally unintentionally, expose internal data from their SaaS platform to the outside world. What we’re reporting now is that up to 70% of the cases we’ve reviewed , we found this exposure. exists without any authentication. You don’t need a password. You don’t need to log into someone’s computer. “
O’Connor added that the intense digital transformation of companies over the past two years has contributed to security problems in many organizations. “The pandemic has forced more and more companies to embrace the cloud,” he said. “The cloud is secure, but in our haste to move to the cloud, there are some security things that organizations don’t notice. I think organizations may not have had the time to build the right level of security investigation into their architecture while they moved. in the cloud. “
Copyright © 2022 IDG Communications, Inc.