JPMorganChase's (JPMC) Global CISO Patrick Opet recently issued a stark warning in an open letter to SaaS vendors: intense market competition has prioritized rapid feature development over security, creating vulnerabilities that threaten individual organizations and the global economic system.
Let’s dive deeper into the systemic risks Opet highlighted in this extraordinary open letter.
System Risks Exposed
Organizations must rely on a limited pool of SaaS vendors, creating concentrated security risks in critical infrastructure. Opet notes: "Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers."
Security vs. Speed
Opet notes, vendors must prioritize foundational security over rushed feature releases, as JPMC has experienced multiple incidents in the past few years requiring swift isolation of compromised providers and substantial resources for threat mitigation.
Modern Architecture Vulnerabilities
Modern identity protocols like OAuth create significant security blindspots. For example, AI-driven calendar optimization with "read-only" access to corporate email represents a high-value target if compromised—demonstrated by the Microsoft Midnight Blizzard attack, where attackers exploited a legacy OAuth application to access sensitive corporate data.
SaaS: The New Battleground
Despite increased organizational investment in SaaS security, The State of SaaS Security: Trends and Insights for 2025-26 report shows that misconfigured settings remain the leading cause of breaches. These misconfigured settings can manifest in the form of over-privileged accounts, or, failing to enforce authentication controls such as multi-factor authentication (MFA) and single sign-on (SSO). The consequences of not enforcing foundational controls such as MFA can be dire, as demonstrated in the Snowflake breach that impacted 165 organizations, including AT&T, Santander and Ticketmaster. Part of the challenge stems from vendors shipping insecure defaults and customer unfamiliarity with proper security configurations. This is why CISA advocates for "secure-by-default" SaaS, including mandatory MFA for privileged accounts, eliminating default passwords, and enabling SSO and secure logging without additional charges.
Shared Responsibility
Many organizations however fail to understand their responsibility for securing identities and data within SaaS applications. These gaps often remain unidentified until breaches occur. Vendors must also clearly define security boundaries, while customers must demand transparency about security control responsibilities.
Action Plan for Your Business
It's vital that you:
- Review security defaults across all SaaS providers and audit visibility based on your subscription tier
- Map your entire SaaS ecosystem, including unsanctioned applications
- Strengthen credential security through enforcing good password hygiene, MFA and SSO, to counter the breaches caused by stolen credentials and weak authentication
- Regularly audit and revoke unused OAuth token tokens to minimize the SaaS-to-SaaS attack surface
- Prioritize rapid threat detection and response as attack timelines shorten to mitigate the impact of a breach
The Path Forward
Organizations that will thrive are those that:
- Demand stronger security by default from SaaS vendors
- Implement rigorous third-party risk management
- Build defense-in-depth strategies assuming compromise will occur
- Invest in comprehensive SaaS ecosystem risk visibility and remediation capabilities
- Deploy real-time SaaS threat detection to detect compromise as it happens
As Opet warns, addressing these risks is essential to prevent "an unsustainable situation for the economic system."
The stakes are clear: either collectively raise SaaS security standards or face increasingly severe consequences.
The time to act is now.
See how Valence secures the entire SaaS ecosystem. Click here for a demo.
.jpg)
