SaaS Security Risks: What Every CISO Must Know in 2025

Over a decade ago, Marc Andreessen, in his essay published in The Wall Street Journal, declared “software is eating the world.” And while that remains true to this day, SaaS now sits at the centre of this feast.

But, has rapid SaaS adoption created a security monster? JP Morgan believes so. Recently, JP Morgan CISO Patrick Opet, in a sharply worded letter to third-party suppliers, took an aim at concentration risk, API sprawl, and the SaaS vendors’ failure to bake in security by design.

To unpack this letter, Indus Khaitan, founder of Redblock AI, hosted a candid discussion with two cybersecurity leaders: Steve Zalewski, former CISO at Levi Strauss & Co., and Gopi Ramamoorthy, Head of Security and AI Security at Symmetry Systems. 

They dissected JP Morgan’s open letter and shared their insights on rethinking security in a SaaS-first world. Below are the excerpts from the discussion. After you finish reading, you’ll learn:

1. Why SaaS is the new attack surface
2. Key questions every CISO should ask their SaaS vendor
3. Why traditional controls are not enough

Why did a bank clap back at SaaS and how is SaaS adoption creating a new kind of risk?

Steve: This may be a case where drinking two sodas a day is okay. Drinking a hundred sodas a day is not okay. We've reached a magnitude of a consumption of a service that at this point has far outstripped its initial design state. And I think to a certain extent, the risks that we're having is we've embraced it far beyond what it was originally designed to do. That’s what he's calling out in his letter.

Gopi: We’ve been seeing a trend of adopting SaaS over the last 10 years. But recently, there’s been a massive growth in SaaS. We give data access to a third party, and when they don’t have time to develop all the features, they pass access to a fourth party and even a fifth party to provide services, which as a CISO, I don't even know.

Now with JP Morgan managing close to $4 trillion in assets, they need to pay close attention to who has access to their financial and system frameworks.

Are traditional security controls enough anymore?

Steve:  We’ve raised the alarm periodically—like saying it’s bad to drink a hundred sodas a day. But now, he’s not just saying it’s bad. He’s showing themes around defense in depth and how attackers are pivoting to exploit something we’ve come to rely on. Over the years, we’ve talked about third-party and fourth-party risk management. We’ve done vendor security assessments (VSAs), but they’re effectively a paper exercise—“trust me” answers with no way to verify them. 

As SaaS platforms are running critical parts of the businesses—adversaries are noticing. They’re pivoting, and some security controls we’ve relied on, like identity and access management, authentication, and authorization, no longer cover the new ways businesses operate. This is exposing weaknesses in our traditional security and architecture stacks. Addressing them requires fundamentally rethinking how we approach business architectures.

Gopi: The standard set of controls is broken in many places, especially around the identity perimeter. We used to have identity under multiple layers. But with SaaS, the identity for the application could come from our IDP, through their IDP, or only from their IDP. This makes access control complicated—and often easy to break.

I implement CIS controls in my organization, but the software footprint I directly control could be only 8% or 20%. Because I’m using a lot of SaaS, my CIS controls may cover just 20% of all the software I’m responsible for as a CISO, while 80% lies outside my control. That hits me hard. Even though I run security assessments and perform periodic access reviews for my applications and SaaS, I’m always nervous about whether my coverage is complete.

SaaS vendors update their applications every day. I configure security controls and settings for these apps, but with their updates and releases, those configurations can sometimes be wiped out. Not only the user access alerts we set, but also the preferred security configurations. And I don’t even have the option to set alerts if my configurations are wiped out. These issues make managing SaaS applications nerve-wracking.

How has SaaS weakened the enterprise security perimeter?

Steve: Traditionally for security as a CISO, I talk about where’s my network perimeter? 

For the most part, we had private data centers. I could control 95–98% of my destiny because I had everything within the data centers. I could set a hard network edge. Then we went with SaaS. The “sexy” part of SaaS is I no longer have them in my data centers. I don’t have to spend the time to stand it up, to own it. It’s just a network connection. I can let the business move faster and outsource a whole bunch of functions that just don’t make sense to stand up myself.

All of a sudden, my network edge disappeared.

Now, if I look at my service edge, it’s like: Where is the service edge? Is it the data I now have to protect? Am I relying on IAM to do this? Am I looking at my laptop itself, and my service edge is my web client?

That transition is, I went from controlling 98% of my destiny and my network edge to maybe only having control over 20, 30, or 40% of my edge. The rest is all out in SaaS. All I can do is establish trust on my side with SaaS. I can ask for terms and conditions. I can ask for VSAs. But I fundamentally have to trust these third- and fourth-party infrastructures with my data. As a CISO, I’ve lost control of the majority of the ways I can manage to protect my company.

Is identity the new perimeter?

Steve: The first thing is you have to understand what the problem is and acknowledge you have the problem.

The way I characterize this is: human identity management to a business application has traditionally meant authentication and then role-based access control. For most of our careers, that’s been our primary responsibility.

Now what you’re seeing is this concept of identity is no longer just a human in a business application. It’s now the data itself. It’s API keys being used in a whole variety of ways, including AI.

So we’re having to rethink identity and access management—the types of identities that now fall into scope. Based on that and this delegation, how do I look at authorization? How do I look at contextual authorization? How do I look at continuous contextual authorization?

At a transactional level—not at a business level—I’m trying to understand: not “is this authenticated?” not “is it authorized?” but “is it appropriate at this point in time that the authorization be executed?

That rethinking of identity access management—where we have to do it in the stack—is what many in the industry are now starting to appreciate. It’s about resiliency and identifying what’s happening, as opposed to just preventing bad things from happening. That’s now becoming a primary thrust. But it’s a very difficult thing for a lot of us to embrace.

Are APIs and API Keys Friends or Frenemies for CISOs?

Gopi: The business is trying to grow, compete with rivals, and venture into new markets, products, and M&A. That makes things complicated for CISOs.

I’ve seen in FinTech environments where not just data or identity, but processes are critical. For example, ACH processing at night involves billions of dollars. If the process fails, there’s a huge loss.

So with SaaS, we need to analyze identity level, privilege level, and access level—not just actions, but access to systems and data.

Will this get resolved? For critical applications, we must resolve it. A smart CISO will tier their SaaS applications—tier one apps must be secured with vendors. Tier two and three can be worked on gradually. As CISOs, we’ll always have hundreds of battles to fight, but we must pick and solve the critical ones.

Is the Real Frenemy the SaaS Vendor—or Your Own Business?

Steve: Who is the frenemy? Is it the SaaS vendor or my lines of business?

As a CISO, I’m realizing my relationship with the business is changing. I used to think: ‘If the business would just do what I say, I could guarantee we won’t be breached.’ But the business says: ‘The friction of doing what you say is too high—I need to make money.’ That friction turns me into an enemy, even though I keep saying I’m their friend.

So what do I do? If I stop the business from innovating, I protect security but stall growth. But I also can’t just let them ‘play in traffic’ without safeguards.

I need to enable the business to grow while minimizing risk. It’s no longer about deploying 200 tools and forcing rigid processes. It’s about letting the business run and ensuring they don’t get hit—or if they do, limiting the damage.

Are Frequent Software Releases a Security Malpractice?

Steve:  SaaS products must have higher degrees of built-in security. They own that obligation. Microsoft has twice paused operations to bake in security, recognizing their fiduciary responsibility to the ecosystem.

SaaS vendors are now foundational, like operating systems. They need time to build security in. For startups, this is tough—they must ship functionality fast to survive.

As an industry, we need to give them time and funding to build security into MVPs. CISOs must work with their businesses to delay decisions when necessary and prioritize securing critical SaaS apps first.

This isn’t just about prevention anymore. It’s about enabling business growth while building resilient security foundations.

Gopi: It’s like high-speed trains in Japan. To run at 300 mph, you need additional monitoring and controls. SaaS vendors delivering code weekly or daily must automate and run more tests—not 60, but 200—to ensure security isn’t compromised.

Initially, it might fail. But over time, as processes mature, they can deliver at high speed with greater confidence.

What’s the One Hard Question You’d Ask Vendors Tomorrow?

Gopi: I’d ask: How do you protect my data? If the application fails, I can restore it. If an endpoint is lost, I can replace it. But if data is lost or stolen, it’s irreversible.

Steve: I’d ask: Show me your secure software development lifecycle (SDLC). If you’re a small company with an SDLC process, I can grow with you. If you’re a large company, I need to see consistent implementation across your organization. I can’t put security on a non-existent process.

What’s the Most Cost-Effective Security Control for SaaS?

Gopi: Many companies still haven’t implemented continuous penetration testing—both internal and external. Automated, data-centric pen tests need to become the norm.

Steve: Identity and access management is the most cost-effective. If I don’t know who has access to what, every other security control is useless.

At the same time, CISOs must generate evidence of compliance to satisfy auditors—hiding in the herd, so to speak. This dual focus is key.

Conclusion: What’s next for the CISOs

JP Morgan's letter serves as a wake-up call for the entire SaaS ecosystem. As Steve Zalewski aptly summarized: "We have to understand now that SaaS is like the operating system. The SaaS vendors have to have the time to bake the security in." 

The path forward requires collaboration between CISOs, businesses, and SaaS vendors to create a more secure foundation for the digital economy.

References

JPMorgan Chase & Co. Open Letter to Our Suppliers. 9 Apr. 2024, www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers

Software as a Service (SaaS) Market to Grow by USD 327.6 Billion from 2022 to 2027: Increased Use of Mobile Apps to Drive Growth—Technavio. Yahoo Finance, 25 Oct. 2023, https://finance.yahoo.com/news/software-saas-market-grow-usd-025000827.html.