Dear SaaS vendors, please read this!
Securing your servers, your cloud, and your internal processes, is no longer enough. It doesn’t matter how amazing your MFA implementation is if customers aren’t turning it on—attackers will simply walk right in using the most basic password attacks. It doesn’t matter how strong your least privilege model is if an inexperienced administrator assigns admin roles to all users, opening the door to leaks and incidents. To properly secure SaaS applications, customers must do their part, what we commonly refer to as the Shared Responsibility Model.
But here’s the real question: why should you care? Because misconfigurations aren’t just a theoretical risk, they’re at the center of some of the most damaging breaches in recent memory. Think of the recent Salesforce incidents and last year’s Snowflake breach: attackers didn’t exploit some exotic zero-day, they simply leveraged basic gaps in SaaS configuration and identity hygiene. The lesson is clear—when vendors don’t enable customers to implement strong security, everyone pays the price.
However, your customers have limited resources. Many have a tiny security team responsible for your app’s security alongside hundreds of other SaaS apps. And some SaaS vendors, well... they don’t make it easy. Not out of malice, but because they fail to provide enough foundational support for security processes at scale.
That's where the SaaS Security Capabilities Framework (SSCF) comes in—a new framework from the Cloud Security Alliance, composed by industry experts on SaaS security, including yours truly. The SSCF focuses on specific technical security controls that are configurable by customers and expected as part of the Shared Responsibility Model.
Here’s the part where your help is required: To support secure SaaS adoption across both your organization and your customers, the SSCF defines a baseline set of capabilities and feature requirements that every SaaS vendor should implement. Check out the initial framework here and stay tuned for future versions that will include self-attestation templates and auditing guidelines.
To get started, focus on these foundational elements:
- API Access to Security Configurations and Accounts (including NHIs): Customers need programmatic visibility into who and what has access to their environment. Without APIs, they’re blind.
- Comprehensive Logging: Security teams can’t detect or investigate incidents if critical events go unlogged or key data is missing. Proper logs are the backbone of SaaS security operations.
- Clear Documentation of Security Features: Even the best controls are useless if customers don’t know they exist or how to use them. Documentation accelerates adoption and prevents missteps.
These capabilities were designed to require minimal technical lift—yet solve huge pains for security teams, while enabling leading SaaS security providers like Valence to deliver complete coverage. Too often we find platforms that lack API access to the list of accounts, or that require full admin entitlements to retrieve it. Too often we meet platforms with significant gaps in log data, or no ability to enumerate what can programmatically access the tenant. You can’t conduct an access review if you have no data to review.
CISOs, ask your vendors to adhere to this framework. Make it a requirement in your procurement process. You’ll be able to implement proper security practices across your SaaS stack and run high-impact, relevant security projects, rather than leaving your team frustrated and shrugging at SaaS security challenges.
.jpg)
