Learn about the emerging threats to SaaS security and how different firms are addressing them.

In partnership with CSA, the 2022 SaaS Security Survey Report explores the state of SaaS security as seen by CISOs and security professionals in today’s organisations. The research compiles anonymous replies from 340 CSA members to look at not only the emerging dangers in SaaS security, but also how different companies are already addressing them.


The majority of responders (71%) were from the Americas, followed by 17 percent from Asia, and 13 percent from EMEA. The decision-making process is influenced by 49 percent of the participants, while the process is run by 39 percent. The survey looked at companies from a number of industries, including telecommunications (25%), finance (22%), and government (22%). (9 percent).

The study yielded a number of conclusions, and Adaptive Shield has compiled a list of what they think to be the top seven.

1: SaaS Misconfigurations are Leading to Security Incidents

Since the beginning of 2019, SaaS misconfigurations have become a top concern for businesses, with at least 43% of companies reporting one or more security incidents as a result of a SaaS misconfiguration. However, because many other companies say they don’t know if they’ve had a security event, the number of SaaS misconfiguration-related occurrences could be as high as 63 percent. When compared to the 17 percent of security problems caused by IaaS misconfiguration, these figures are eye-opening.

Learn how to prevent misconfigurations in your SaaS stack.

2: The leading cause of SaaS misconfigurations is reported to be a lack of visibility and too many departments with access.

While there are various things to consider, poll respondents limit it down to two major causes: having too many departments with access to SaaS security settings (35 percent) and a lack of insight into changes in SaaS security settings (25 percent) (34 percent ). These are two intertwined challenges, neither of which is unexpected. One of the main causes of lack of visibility is that too many departments have access to security settings, and many of these departments lack sufficient security training and focus.

3: SaaS Security Tools and Staff are Outpacing Investment in Business-Critical SaaS Applications.

It’s common knowledge that organisations are adopting more apps; in fact, 81 percent of respondents claim they’ve raised their spending in business-critical SaaS applications in the last year alone. Investing in security tools (73%) and manpower (55%) for SaaS security, on the other hand, is lower. This inconsistency places a greater burden on existing security teams to keep track of SaaS security.

4: Organizations are exposed because of manual identification and remediation of SaaS misconfigurations.

46% of firms that manually monitor their SaaS security do it only once a month or less, and 5% do not do so at all. It takes longer for security personnel to fix a misconfiguration once they’ve discovered it. When manually resolving a misconfiguration, about one out of every four enterprises takes one week or longer. Organizations are vulnerable as a result of the long lead time.

5: Use of an SSPM reduces timeline to detect and remediate SaaS misconfiguration

The flip side of result #4 is that firms that have adopted an SSPM can detect and rectify their SaaS misconfigurations more quickly and accurately. The bulk of these companies (78%) use an SSPM to monitor their SaaS security parameters at least once a week. When it comes to fixing the misconfiguration, 81% of firms that use an SSPM can do it within a day to a week.

6: 3rd party app access is a top concern

Third-party programmes, sometimes known as no-code or low-code platforms, can increase productivity and make hybrid work possible. They are necessary for the development and scaling of a company’s work processes. Many users, on the other hand, connect to 3rd party apps without thinking about the permissions that these apps require. Permissions and subsequent access granted to these third-party programmes, if accepted, could be as benign or as harmful as an executable file. Employees are connecting to their organization’s business-critical apps without visibility into the SaaS-to-SaaS supply chain, and security departments are blind to many potential dangers. As companies implement SaaS applications, one of their main concerns is a lack of visibility, particularly in terms of third-party application access to the core SaaS stack (56 percent).

7. Planning Ahead and Implementing SSPM

Despite the fact that the category has only been on the market for two years, it is rapidly maturing. SSPM received a “somewhat familiar” rating in a comparison of four cloud security solutions. Furthermore, 62% of respondents say they are now utilising or planning to use an SSPM in the next 24 months.


The 2022 SaaS Security Survey Report provides information on how businesses use and safeguard SaaS applications. There is little doubt that as businesses embrace more business-critical SaaS programmes, the risk increases. Companies should begin safeguarding themselves through two best practises to meet this threat front on:

Allow security teams full insight over all SaaS app security settings, including 3rd party app access and user permissions, allowing departments to keep their access without the danger of making modifications that put the firm at risk.

Automated technologies, such as SSPMs, should be used to continuously monitor and swiftly correct SaaS security misconfigurations. These automated technologies enable security teams to detect and resolve vulnerabilities in near-real time, decreasing the amount of time the company is exposed or preventing the problem from arising in the first place. Both modifications provide support to your security staff while guaranteeing seamless and effective collaboration between departments.