We’re Thinking About SaaS the Wrong Way

• Cyber Risk

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

We’re Thinking About SaaS the Wrong Way

Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.

Michael Bargury, CTO & Co-Founder, Zenity

September 26, 2022

6 Min Read

Source: photon_photo via Adobe Stock

LinkedinFacebookTwitterRedditEmail

We’re used to thinking about securing software-as-a-service (SaaS) platforms and the cloud as two separate beasts. This separation stems from the way SaaS and the public cloud first emerged as small point solutions and an extension of the traditional data center, respectively. Today, due to the advent of low code, this separation is wrong, and it’s holding us back from seeing what’s right in front of our eyes. Low code makes SaaS platforms a part of the public cloud, a place where developers build multiple applications rather than consuming a single one: a cloud platform.

Failing to shift our mindset leads to where we are today, with those applications being left up for grabs with no security visibility. And to make matters worse, low-code applications are embedded right into platforms like Salesforce and Microsoft Dynamics, which we all use and that hold our most sensitive business data.

How Did We Get Here?

Origin stories are always interesting because they explain something fundamental about the way we perceive the hero of the story. While SaaS started as an extension of the corporate network, the public cloud started as an extension of the data center. Those very different starting points explain why securing SaaS started with shadow IT (protecting the perimeter) and securing the public cloud started with workload protection (lift-and-shift servers and their network/host agents). This also meant that different security teams were tasked with securing SaaS and the cloud, which of course led to a separation of tools, different threat modeling, and, most importantly, the formation of different security mindsets.

Both SaaS and the public cloud have drastically evolved from those early days. Public cloud vendors introduced ever more granular compute paradigms, gradually introducing infrastructure as a service (IaaS), platform as a service (PaaS), and serverless to help developers focus on the business problem at hand. They also built an entire ecosystem of ready-made solutions for complex yet common problems — identity, permissions, logging, configuration, and deployment, to name a few.

SaaS used to mean a point solution for a specific problem. Salesforce started as a CRM, ServiceNow as a ticketing system, and Office365 as email, spreadsheets, docs, and slides. (While this is more than one solution, these are very specific ones.) Contrast that with today: Salesforce Developers are building apps for just about any business need on top of the Salesforce Platform, ServiceNow low-code apps are handling just about anything from HR to health and finance processes, and Power Platform, Microsoft’s low-code platform embedded into Office365, is being used by more than 20 million users across the industry to solve every business need, from productivity through procurement and COVID-related processes.

Clearly, these have become enterprise-grade application development platforms, not point solutions to specific business problems. Many developers today choose to build their applications on platform-provided abstractions, whether those are serverless functions on the public cloud or extendable building blocks on SaaS low-code platforms.

The Introduction of Business Developers

Comparing how SaaS platforms started and where they are now clearly shows how far these have come from their earlier versions. But there’s still a major shift we haven’t mentioned yet: the introduction of business developers.

SaaS low-code platforms draw their power from the data they maintain and their existing users. Those are both not limited to IT but rather skew heavily toward the business. Having access to both business data and business users means that SaaS is in the perfect position to tackle the most pressing issue many enterprises face today — digital transformation.

With a global shortage of developers and the difficulty of streamlining a business process with so many stakeholders, low-code platforms introduce a shortcut, letting the business users streamline their processes themselves without waiting for IT.

Low code is taking off with business users, so much so that in his 2019 Inspire keynote, Microsoft CEO Satya Nadella discussed the opportunity of low code to empower people and to create new white-collar jobs just like Excel did.

Just like the public cloud is an application development platform enabling developers to focus on their business logic, SaaS platforms have become application development platforms using low code to empower business users to become developers and address any business need.

SaaS is now focused on new types of developers addressing a whole range of unmet business needs with dedicated applications, creating a new type of cloud: the business cloud.

Securing Low Code as an Extension of Cloud

With the realization that some SaaS platforms are now application development platforms and an extension of the cloud, we should re-examine the responsibilities for securing those applications and bringing them under the security team’s umbrella.

We should treat platforms like Salesforce, ServiceNow, and Office365 the same way we treat AWS, Azure, and GCP, where we focus on the applications that were built and are hosted in these application development platforms rather than treating the whole platform as a single application.

Shadow IT, for example, remains an issue with smaller and an ever-growing number of point-solution SaaS. But it doesn’t make sense to treat any single platform mentioned above as a single app to discover and catalog. Instead, we should discover and catalog the applications built with those platforms — and there are tens of thousands of those. In most organizations, this enormous complexity is hidden behind a single line in an application inventory.

Applications built with SaaS low-code platforms should be examined with the same security rigor we use for those built on the cloud because, at the end of the day, an application is an application, no matter where it was built and hosted.

What does matter for the security of our business applications is the people, process, and tools that are involved in making, maintaining, and protecting those applications. For applications built in the cloud, we have professional developers, automated CI/CD processes, and various security tools from code scanning and dynamic analysis through runtime monitoring and prevention. For applications built on SaaS low-code platforms, we have some professional developers but also business users who are not security-savvy, with few to no deployment processes and no security controls or guarantees.

Thinking about low-code platforms as part of SaaS makes it difficult for us to see that a hugeportion of our business applications are now being built by the business, outside of IT and outside of security control. To begin seeing the problem and figuring out our approach to it, we must shift our mindset to acknowledge low-code platforms as a part of the cloud and treat the applications on those platforms like we do any other application.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

• Women Who ‘Hacked the Status Quo’ Aim to Inspire Cybersecurity Careers Jul 16, 2025 |

5 Min Read

• AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |

5 Min Read

• Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |

6 Min Read

• Unlock Security Operations Success With Data Analysis Jul 8, 2025 |

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link