SaaS applications play a critical role in attack surface expansion as businesses continue to increasingly depend on them for critical operations and data management. Many organizations however overlook SaaS security, assuming that the SaaS vendor will protect customer data and application usage. This leaves a major blind spot for security teams, and a prime opportunity for malicious actors around the globe. In fact, 81 percent of organizations have sensitive SaaS data exposed according to Veronis.
NetSPI’s new SaaS Security Assessments leverage both automated and manual testing methods in accordance with industry standards like the CIS Benchmarks, with additional security checks developed from years of industry-leading application and cloud assessments. During each engagement NetSPI will uncover critical vulnerabilities and misconfigurations, provide actionable guidance for fast and thorough remediation, and ultimately improve overall SaaS security posture.
NetSPI’s SaaS Security Assessments target two global SaaS leaders, Salesforce and Microsoft 365, with three unique solutions:
This offering provides comprehensive insights into the security of our customers’ Salesforce web applications and integrations, with actionable recommendations to reduce business function risk. Testing is focused on data storage, integrations, authentication mechanisms, and Salesforce-hosted applications. Access to sensitive organizational data is tested in the contexts of both the intended, authenticated user of the instance as well as the unauthenticated Guest user.
2. Salesforce Configuration Audit
Designed to guide security posture enhancements of Salesforce instances, this offering aims to minimize potential risks and vulnerabilities that stem from the shared responsibility SaaS security model. Testing is focused on the manual and automated review of instance users and their assigned roles, Salesforce Object permissions, Apex code, setup settings, and data storage configurations. Additional review focuses on API hardening, black box scenarios, and the potential for novel attack paths.
Leveraging automated scanning and manual testing methods, NetSPI uses commercial, open source, and proprietary software to assess and identify Microsoft 365 security vulnerabilities and misconfigurations. NetSPI uses five key steps to improve our customers’ M365 security:
- Automated Configuration Gathering
- Manual Configuration Gathering
- Configuration Analysis and Vulnerability Enumeration
- Vulnerability Enumeration and Manual Verification
- Reporting Findings
Each of these were built to provide actionable insights into identity and access management, data management, data storage, email security, account protection, password protection, integrations, and more, with test results being delivered in real-time through NetSPI’s PTaaS Platform to streamline reporting and remediation.
This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation).
Read past solutions update blogs: