The blame lies with customer misconfigurations, not flaws in the SaaS platform. Credit: GrandeDuc / Getty Images A configuration error in the SaaS platform of an S&P 500 company is leaking data on the internet. News of the misconfiguration mistake found in nearly 70% of ServiceNow instances tested was reported Wednesday by AppOmni, a SaaS security provider.According to AppOmni, the misconfiguration resulted from a combination of customer-managed configurations and over-provisioning of permissions to guest users. ServiceNow has more than 25,000 customers, most of them with 50 to 200 employees and with revenues in the $1 million to $10 million range.AppOmni explained in a news release that these types of misconfigurations are common across major SaaS platforms due to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility.“This type of issue is in no way limited to ServiceNow,” AppOmni CEO Brendan O’Connor tells CSO. “We are seeing major data exposures across multiple SaaS platforms,” he says. “We have seen an uptick in attacks over the past couple of weeks across multiple SaaS applications.” SaaS applications don’t get adequate security scrutinyMisconfigurations can happen during the initial implementation phase of a SaaS platform, when users or settings change, or as part of the regular cadence of SaaS updates that can impact current configurations, explained AppOmni, which has developed the SaaS Security Analyzer, a free web application that will determine if a ServiceNow instance has this misconfiguration.O’Connor says his company has been working with ServiceNow to clear up the problem. However, he adds, “We are strongly advising ServiceNow customers to manually check for this issue themselves.” “SaaS applications, in general, don’t get the security scrutiny that they require,” O’Connor says. “Most customers think that the cloud provider handles everything for them. They don’t understand the shared responsibility model, and what their obligations are in protecting their data and properly configuring and using SaaS.”Extreme digital transformation contributes to security problems O’Connor compared SaaS misconfigurations to past problems with AWS S3 buckets. “It’s not a software flaw in the cloud provider,” he says. “It’s a common pattern whereby customers, generally unintentionally, expose internal data from their SaaS platform to the external world. What we’re reporting today is that in up to 70% of the cases we’ve analyzed, we’re finding this exposure exists without any authentication. You don’t need a password. You don’t need to break into someone’s computer.”O’Connor adds that the extreme digital transformation of companies during the past two years has contributed to security problems at many organizations. “The pandemic has forced more and more companies to embrace the cloud,” he says. “The cloud is secure, but in our rush to migrate to the cloud, there are some security things that organizations have overlooked. I think that organizations may not have had the time to build the right level of security scrutiny into their architecture as they moved into the cloud.” Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe