“The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and — as its adoption grows — is creating a substantial vulnerability that is weakening the global economic system.”

This statement by Patrick Opet, Chief Information Security Officer (CISO) at JPMorgan Chase & Co., is a part of an open letter written to call on providers to reprioritize security rather than prioritizing the launch of new products. 

In the letter, Opet emphasizes a growing risk in the software supply chain with SaaS as a default in delivering software. While the model is efficient and offers rapid innovation, it also increases the impacts of vulnerabilities, outages, and/or breaches. 

Mark Townsend, Co-Founder & CTO at AcceleTrex, states, “When buying SaaS, you’re buying a system deployed by a vendor that you are trusting your data to. Many will provide an annual pen test report and demonstrate alignment with SOC2 and other standards, but as the author points out, a lot happens within these apps, and the infrastructure that enables them, over the course of a year. The security of these systems is fairly opaque and requires a bit more transparency between the vendor and the consumer as to how the data is secured.”

Opet also points out how competition between software providers has led to the prioritization of accelerated feature development rather than stronger security. According to Opet, this competition “often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses.” Opet adds that the continued prioritization of market share over security will expose customer ecosystems to risks. 

On the subject of the letter, Townsend shares, “It inspires constructive conversations that I think are necessary and important to have. It points to a frustration among consumers that vendors are simply not doing enough and many are prioritizing speed above security. The rush to stay ahead of the competition has led to several issues over the years. A balance needs to be made and demonstrated to the market. I think his comments are balanced and hopefully inspire some positive change amongst SaaS suppliers and consumers. Change will not happen until more consumers demand it. This letter is a start, but others need to sign on to it and start making those demands of their providers to create meaningful change.”