Introducing New Software as a Service (SaaS) Security Assessments 

SaaS applications play a critical role in attack surface expansion as businesses continue to increasingly depend on them for critical operations and data management. Many organizations however overlook SaaS security, assuming that the SaaS vendor will protect customer data and application usage. This leaves a major blind spot for security teams, and a prime opportunity for malicious actors around the globe. In fact, 81 percent of organizations have sensitive SaaS data exposed according to Veronis. 

NetSPI’s new SaaS Security Assessments leverage both automated and manual testing methods in accordance with industry standards like the CIS Benchmarks, with additional security checks developed from years of industry-leading application and cloud assessments. During each engagement NetSPI will uncover critical vulnerabilities and misconfigurations, provide actionable guidance for fast and thorough remediation, and ultimately improve overall SaaS security posture. 

NetSPI’s SaaS Security Assessments target two global SaaS leaders, Salesforce and Microsoft 365, with three unique solutions:  

1. Salesforce Web Application Pentest

This offering provides comprehensive insights into the security of our customers’ Salesforce web applications and integrations, with actionable recommendations to reduce business function risk. Testing is focused on data storage, integrations, authentication mechanisms, and Salesforce-hosted applications. Access to sensitive organizational data is tested in the contexts of both the intended, authenticated user of the instance as well as the unauthenticated Guest user.  

2. Salesforce Configuration Audit   

Designed to guide security posture enhancements of Salesforce instances, this offering aims to minimize potential risks and vulnerabilities that stem from the shared responsibility SaaS security model. Testing is focused on the manual and automated review of instance users and their assigned roles, Salesforce Object permissions, Apex code, setup settings, and data storage configurations. Additional review focuses on API hardening, black box scenarios, and the potential for novel attack paths.   

3. Microsoft 365 Security Assessment   

Leveraging automated scanning and manual testing methods, NetSPI uses commercial, open source, and proprietary software to assess and identify Microsoft 365 security vulnerabilities and misconfigurations. NetSPI uses five key steps to improve our customers’ M365 security:   

• Automated Configuration Gathering  
• Manual Configuration Gathering  
• Configuration Analysis and Vulnerability Enumeration  
• Vulnerability Enumeration and Manual Verification  
• Reporting Findings 

If you would like to learn more about our Software as a Service (SaaS) Security Assessment, check out our SaaS Security Assessment webpage, or contact us to learn more.  

This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation). 

Read past solutions update blogs: 

• NetSPI Attack Surface Management Updates: Portfolio Dashboard &
  Perceptual Hashing 
• 2023 Q1 Solutions Update Blog
• 2023 Q2 Solutions Update Blog
• 2023 June Solutions Update Blog