Securing Salesforce and your favorite SaaS Applications

If you have not moved to the cloud, you likely will soon. Along the way you will likely have adopted software as a service applications (SaaS) such as Salesforce, Service Now and Office365. Security teams that grew up counting corporate on-premise vulnerabilities or finding exploitable web applications are ill equipped to secure and audit these applications. Fortunately, AppOmni enables security teams to audit their major SaaS applications. I got to ask the former CISO of Salesforce and former Security CTO for ServiceNow, Brendan O’Connor, about why he created AppOmni and what sorts of cyber risks SaaS applications can introduce into an organization.
Q1 - Why did you start AppOmni?

The idea for AppOmni came directly from my experience as a security practitioner.  I spent 11 years securing enterprise SaaS- first as the VP of Product Security then CISO at Salesforce, and then as the Security CTO at ServiceNow.  I’ve spent a huge part of my career building secure cloud applications for the Enterprise and I found that most customers treat SaaS applications like an external vendor.  They send a vendor risk questionnaire, ask about SOC 2 and PCI compliance, and probably do an external vulnerability assessment or penetration test. That’s usually the extent of the security team’s involvement, and the application is then managed by the line of business.  Now compare that to other business software, like endpoints. No security team would ever send Microsoft or Apple a vendor questionnaire, perform a vulnerability scan, and say that is their endpoint protection strategy. That may be a piece of it, but the real risk to the business is once that endpoint has sensitive data on it and it’s in the hands of the user. 

More and more of our data and applications live completely in the cloud, but most of our security tools haven’t caught up with this shift to public cloud apps, which is a huge risk to the modern enterprise.  I saw this problem every day as a practitioner and started AppOmni to give security teams the tools they need to scan, secure, and monitor the SaaS applications that are critical to their business.  

Q2 - How is scanning cloud/SaaS apps like Salesforce different from traditional on-prem vuln scanning or SecDevOps?

It’s very different.  SaaS applications like Salesforce, ServiceNow, Dropbox, Box, GSuite, Workday, and others are not just applications.  They are platforms. They’re actually closer to an Operating Systems than a traditional web app. And they don’t behave anything like Windows, Mac, or Linux.  Each of these SaaS apps have their own set of APIs, data access model, and own security model. I spent almost a decade at Salesforce and I knew the platform inside and out. However, when I joined ServiceNow, my biggest surprise was how little my technical knowledge of Salesforce carried over to ServiceNow.  They are completely different. I felt like I was starting from scratch. The settings and configuration options are totally different. The APIs are totally different. The way you grant data access and user permissions are totally different. They are two different languages. Being fluent in one doesn’t mean you’ll be able to speak another.  That’s when I knew someone needed to build a tool to help translate; a Rosetta Stone for the cloud. That’s what we’re building at AppOmni.

Q3 - What are some examples of default settings you've seen SaaS providers make that were insecure by default?

In my experience, SaaS providers are doing product and infrastructure security incredibly well.  Often better than a customer could do it themselves. SaaS providers do a very good job of being secure by default.  But no one runs SaaS apps by default! Every business is different. The applications are configured and customized to meet the needs of your business.  And business needs are changing all the time. SaaS applications are usually connected to dozens or hundreds of other business applications through API integrations, third party add-ons, and custom code written by the customer.  If you look at 10 different implementations of Salesforce, they will all be different, I think that’s one of the things that make SaaS apps so attractive to the enterprise - they can be customized and adapted to meet practically any business process.  But having a car with a great safety rating doesn’t make you a good driver. You can have the safest car in the world, and still get in an accident if you’re not watching the road.

Q4 - Do any of these issues have the equivalency equivalence of "S3" Amazon bucket misuse or the potential for serious PII leakage?

Yes, we see it all the time! In my experience, over-privileged APIs are the rule, not the exception.  As I mentioned, things are locked down by default. But in the course of configuring the application, or building a new workflow, or troubleshooting an API integration, things get opened up.  We’ve all seen it before. Something’s not working, so you start loosening access. Enabling more permissions. Trying to figure out why the application or integration isn’t working. Then someone does the equivalent of a ‘chmod 777’ on an API or data table and boom!  It works! It takes many different forms depending on which SaaS provider(s) you’re using, but it is absolutely a common problem.

Q5 - How does AppOmni help a security team discover these issues and solve them by working with the sales operations, SecDevOps and other stake holders leveraging SaaS?

It starts with an API and configuration scan.  Most security teams haven’t done a thorough assessment of their SaaS deployments, or know what they should be looking for.  That first risk assessment is a big eye opener. One of our customers described it as “turning the lights on in a room you’ve never looked in before.”  But security teams don’t need more problems. I’ve never met a security engineer who said they don’t have enough to do. When you’re already busy, identifying more vulnerabilities isn’t that helpful by itself.  And we acknowledge this at AppOmni. That is why we in addition to scanning, we give security teams the ability to apply security policies and guardrails to SaaS applications very quickly. I’m talking hours, not days or weeks.  We also perform continuous monitoring out of the box. We can give a SecOps team visibility and alerting without needing to become an expert on every SaaS app their business uses. It’s really about letting the business move as quickly as they need to, while giving security teams the level of visibility and control for SaaS that they have in other areas of their tech stack.

Q6 - Where can readers go to learn more?

Our website is, or they can send an email to [email protected] if they’d like to see what we can do.  Readers can also follow us on LinkedIn and Twitter, or sign up for our blogs and newsletters at