August 4, 2025 • 45 mins
SaaS platforms represent a significant security blind spot for many organizations, with misconceptions about the shared responsibility model leaving sensitive data vulnerable to exposure. Aaron Costello, Chief of SaaS Security Research at AppOmni, shares insights from his research uncovering five zero-day vulnerabilities in Salesforce Industry Clouds and explains why SaaS security requires specialized expertise.
• Security teams often mistakenly believe SaaS vendors are fully responsible for security
• The shared responsibility model means customers must secure their own configurations and customizations
• Nearly a third of Salesforce customers use Industry Cloud solutions, which were found to contain significant vulnerabilities
• Agentic AI introduces new security challenges requiring strict access control implementation
• AppOmni provides visibility by connecting to SaaS platforms and analyzing security metadata
• Effective SaaS security requires collaboration between platform administrators and security teams
• Acquisition scenarios create particular security challenges when integrating new technologies
• The most effective approach combines administrative knowledge with security expertise
If you're interested in learning more about SaaS security or accessing the full Salesforce Industry Clouds research paper, visit appomni.com and check out the AO Labs section of their blog.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it?
Speaker 2 (00:00):
going.
Aaron, it's great to get you onthe podcast.
It's been a few months.
It's been like what?
Six months probably at thispoint, since you were last on, I
believe.
So, yeah, it's great to be back, but I felt like we had so much
(00:22):
more to talk about that wecould absolutely have you back
on sooner.
So I appreciate you coming backon and we're going to talk
about everything SaaS, security,salesforce there's a new
Salesforce report out that we'regoing to dive into, so I'm
definitely excited for ourconversation.
Speaker 1 (00:39):
Yeah, me too.
Speaker 2 (00:40):
It's an absolute pleasure to be back.
Yeah, yeah, yeah, me too, it'san absolute pleasure to be back,
yeah, yeah.
So, aaron, you know why don'tyou?
You know, maybe just refresh myaudience's, you know, memory of
your Qwik background, right,just you know what's your
specialty?
Speaker 1 (00:54):
that sort of thing.
Yeah, absolutely so.
I'm the chief of SaaS securityresearch at AppOmni, so my niche
is in SaaS security, as alludedto in my title.
So specifically focusing on theSaaS platforms that are
powering the enterprise globallyso if you're not familiar,
that's what those are we'retalking about Salesforce,
servicenow, oracle, netsuite,workday those cloud systems is
(01:18):
what I kind of focus on, andreally my specialty area is in
identifying misconfigurations orpotential for customers to
misconfigure these platforms ina way that reduces their
security posture.
So I do a lot of zero-day kindof research, but it's mostly
figuring out and identifying ifa customer regresses in some
(01:40):
access control or if they enablesome configuration, how is that
reducing the overall securityof their environment and how
could that be exploited by anattacker?
Speaker 2 (01:49):
Yeah, it's interesting because, you know, I
feel like there's still anotion of SaaS apps being like a
very highly secure you knowpath forward, right, and I feel
like people that don't reallylook into it, that aren't that
aren't security experts in thefield, it's difficult for them
to grasp that Because you'reputting all of your trust in
(02:12):
this application that you'reusing every single day for the
most part.
I mean like Salesforce, forinstance.
What company doesn't haveSalesforce and what company is
also looking at Salesforce froma security risk perspective?
Right?
Like I was working for a largeautomotive manufacturer, you
know, based out of Germany, soyou can narrow it down right
(02:33):
there to three.
Right, and they have a giant,giant Salesforce presence right,
globally, because whateverGermany buys, the rest of the
globe is going to, you know,take and deploy and everything
else.
Right, because Germany is overthere negotiating these insane
deals with vendors and, you know, a year in a year into this
(02:54):
role, you know, my CISO says, ohhey, you know you should go
look at Salesforce.
Like we don't know what's goingon over there.
What are you talking about?
We don't know what's going onover there.
What are you talking about?
We don't know what's going onover there and I found out I
mean 20% of what the securityteam knew about Salesforce was
completely wrong or they onlyknew about 20% of what was going
(03:17):
on.
Speaker 1 (03:17):
Yeah, that is extremely, extremely typical.
Generally, what we see is thatsecurity folks within an
organization are forgetting whatthe shared responsibility model
is, and so they have thispreconceived notion that it's
like, well, it's on Salesforceto secure Salesforce right, and
it's like, well, not, it's notthat clear cut, because
Salesforce is responsible forthe security of their software.
(03:40):
It's proprietary software.
So if you've like a sqlinjection out of the box that,
like the second you buy, asalesforce instance is there,
then it's like, yeah, that's onon them to fix.
So that's, that's their jobfrom a security perspective.
What isn't their job ismonitoring and auditing
(04:01):
configurations that you, as acustomer, and customizations
that you make on the platform.
And this isn't just Salesforce,it's across the board right For
ServiceNow, all these differentSaaS platforms.
If you decide that you want todelete every access control, you
can do that.
That's what makes theseplatforms so powerful and also,
funnily enough, so popular isthey're so customizable.
(04:23):
It's like, hey, here's theplatform.
It can do all these amazingthings and you can build so much
on it.
You don't like our APIs.
You can build your own APIs andyou can do whatever you want,
and it's fantastic.
But it's not the vendor's jobto secure those APIs for you,
right, they don't know what youruse case is.
They're not going to do any ofthat.
(04:51):
So it's on the depending on whoyou ask could be on the platform
administrators the guy who'sgot the system admin account on
sales forest, who's logging inevery day, could be their job.
Could be the job of the actuallike red teams right to kind of
get up to up to scratch with theum like access control model of
of these sas platforms and dotheir routine pen tests and
things like that.
There's also a bit ofresponsibility on the developers
(05:11):
within these organizations.
So if you've got a very bigSalesforce presence, you've
probably got people writing codeon Salesforce because they have
that on these platforms.
They've got their own languageseffectively and by writing code
you can introduce securityvulnerabilities there.
So, depending on theorganization, the security of
your platform, it could fall onone person, it could fall on
(05:33):
multiple teams across differentdepartments.
It really does depend.
But ultimately mostorganizations aren't even
necessarily getting that far.
They're not even getting as faras like.
Well, who should we task withsecuring our SaaS platforms?
It's more so.
Yeah, it's the vendor.
I feel like, as the past coupleof years have gone by, where
attackers are now focusing ahell of a lot more on SaaS
(05:54):
platforms because of the verysensitive nature of the data
being stored there, that it'sbeen a bit of a wake-up call to
the internal security orgs beinglike oh, we should really have
visibility into what's going onin these platforms.
Speaker 2 (06:09):
Yeah, it's interesting.
I wanted to ask you one of therisks that you're always told
about is protecting yourselffrom proprietary storage methods
or like proprietary, you knowstorage formats of your data.
Is that even a real thing insas apps?
(06:30):
No, I feel like it's notbecause that would be such a
huge like lawsuit for these sascompanies.
You know it's like oh, I can'tpull my data out and transfer it
to somewhere else.
Speaker 1 (06:39):
You know like you know I'm not gonna point fingers
on any particular vendor,anything, but I can't speak to
how easy they make it to kind ofget off platform.
You know it is interestingbecause you do have, you know,
people on LinkedIn, thesethought leaders, saying, oh,
like everyone's now switchingback to like on prem because
it's cheaper and like all ofthese things.
(07:01):
So I mean I can't speak to howeasy it is to get the data off,
but as far as issues go, I can'tspeak to how easy it is to get
the data off but as far asissues go, I haven't heard a ton
around that I don't think it'sas big of a problem as it
necessarily was back in the day.
Speaker 2 (07:12):
Yeah, the thought leaders that are saying that
companies are moving back toon-prem, I feel like they'll be
back.
Like whenever I hear that, it'slike I feel like you're going
to be right back.
You know you guys forgot aboutthe pain of having on-prem
infrastructure, running your owndata centers and everything
Like.
That's a huge pain.
You have to have whole teamsaround that.
Speaker 1 (07:32):
Yeah, yeah, and I mean software development's
changed so massively that it'slike I'm sure the up-and-coming
generations will be like how didMark Zuckerberg build Facebook
without Kubernetes?
Without Kubernetes and likewireless functions and like
Lambda and all this stuff?
But, yeah, I think, I thinkSaaS is never.
It's never going to go away,right?
(07:53):
Yeah, I've heard ramblings onLinkedIn about, well, with all
of this new like AGI stuffcoming in, like why do we really
need SaaS platforms anymore?
However, these SaaS platformsare actually building their own
AI, right, in terms of you gotlike AgentForce or Salesforce
and they're moving with thetimes and the unique thing about
(08:16):
them doing that and what makesthat so powerful and what will
keep customers on thoseplatforms is that those agents
have domain knowledge, right,and that's the key
differentiator like agent forcebeing on the platform has domain
knowledge like that's itdoesn't apply off platform for
other AGI.
So that's another thing tothink about.
I think we're in an interestingtime where there's being just a
(08:38):
massive shift and howorganizations are looking at
SaaS and their usage of SaaS,especially incorporating, as I
said, like AI into that.
But when it comes to overallsecurity, I think it could be
forgotten about a little bit.
Everyone's focusing on like domore with AI, we'll do more.
And it's like, well, you stillhave a platform to protect,
right?
And ultimately, all you'redoing is, yeah, you're getting a
(09:01):
whole host of benefits byutilizing AI, but at the same
time, you're also introducinganother attack vector.
So if, again, you are notputting security at the
forefront of your mind whenbuilding these agents and
granting access controls tothese agents on your SaaS
platforms, it's going to be abad time for sure.
Speaker 2 (09:23):
Yeah, so why don't we kind of circle back to what
agentic AI agents are?
I feel like that's such a newterm that a lot of people may
not even realize what it is, andwe're already interacting with
it.
Speaker 1 (09:36):
Yeah, well, are you talking about like in respect to
, to, to SaaS?
or yeah, just talking about youknow, like Salesforce's solution
that you just mentionedno-transcript, effectively, is
(10:31):
going to break down what you'reasking for into like subtasks,
right?
So if you've got, for example,like a high level task, like hey
, I need you to within anorganization, I need you to kind
of balance, like the inventoryof my, my stock, whatever else,
it'll look at that and it willthen be like, okay, here's what
I need to do.
I need to break it down intoall of these steps in order to
(10:54):
fulfill this kind of, I guess,task execution.
So it's effectively runningwith like zero human oversight.
Generative AI, like you, hadhuman oversight for each output
that the generative AI wasgiving you, whereas with agentic
AI, you're going run with thisand you might give it a little
(11:15):
bit of exception, handlingguidance, like oh, if
something's wrong, do this.
But generally those are thebiggest differences.
Agentic AI's main focus is thecompletion of tasks with a
high-level, prompt and verylittle human oversight with
(11:37):
respect to what it gives back toyou, and that's just the
contrast to generative AI.
Speaker 2 (11:43):
Okay, that makes sense.
So where do you start withsecuring something like that?
Speaker 1 (11:48):
Yeah, yeah, well, it depends.
I can't really speak to SaaSplatforms, right, because that's
where my expertise lies, butwhen we're looking at, you've
got an agentic AI agent, right,and you want it to fulfill some
tasks, such as, like, maybe youhave a customer that wants to
(12:08):
file a case, just some issue,and so the agenda guy needs to
first look at the problem,assess the priority, the impact,
file it in the necessary placeand assign it to the necessary
people, and in order to do that,it needs to have some level of
access right To those places inthe platform.
(12:31):
Right, it needs to be able tosee okay, who can I assign this
to?
Who are these people internally?
What's their function?
Are they relevant to finding asolution for this case?
They need to be able to createand write data, because they
need to put the case ticketinformation somewhere.
And so the first place that Iwould be looking at is the
access controls that you aregiving this agent.
(12:52):
It needs to be completelyminimal with respect to least
privilege, and that comes backto the whole zero trust model,
like operating with completeleast privilege, because the
last thing that you want is anoverprivileged AI agent that
gets some prompt injection right, gets tricked by a malicious
actor into fetching someunrelated information like PII
(13:17):
or something, and that can onlyhappen when it has access to
those PII records.
Right, that's really the mythof securing these agents for
SaaS.
It is enforcing these privilegefollowing that kind of zero
trust model and, as a result, bydoing that, you are minimizing
your exposure to attacks likeprompt injection.
(13:40):
You know, there's only so much.
Even in the scenario of asuccessful prompt injection
payload, there's only so much.
Even in the the scenario of asuccessful prompt injection
payload, there's only so muchthat the agent can do and so, as
a result, the blast radius andimpact is massively, massively
reduced.
Now, that being said, like I'veseen some pretty intense
implementations on platforms, onSaaS platforms, where you've
(14:01):
got like one agent communicatingwith another agent, platforms
where you've got like one agentcommunicating with another agent
, and so it's like fanning outthese tasks and it's almost like
doing its own assignment tolike other agents.
And so when you start gettingthese more complex architectures
where you've got multipleagents doing that manually, that
kind of auditing of permissionsand, you know, ensuring there's
(14:21):
no like permission drift isgoing to be a very difficult
task, right?
Because the more componentswhether it's agents, whether
it's APIs the more componentsthat you start building, the
larger your tax service gets.
So it's really important that,where possible, manually audit
the access controls on theplatform.
With respect to AI, but I wouldrecommend that, if you are an
(14:45):
enterprise organization, to getan automated monitoring and
scanning tool like AppOmnit, anSSPM that can continuously
assess the security of thoseagents.
Speaker 2 (15:00):
I have two questions, questions.
Right, I want to dive into theSalesforce report.
The other part is how doesAppOmni, you know, get that
visibility?
Because, at least from my sideright, I haven't really used a
SaaS security solution beforeI've needed to, right, and so I
only see the SaaS platform as asecurity engineer, security
(15:21):
expert, right, that's looking atthe platform from basically
like an admin perspective and Ihave to go through all these
different menus and everythingto try and piece everything
together.
How is AppOmni plugging itselfin to show, like, the hierarchy
of these agents and the securityof the platform overall?
Speaker 1 (15:38):
Yeah, yeah, so there's kind of multiple aspects
to the security of the platformoverall.
Yeah, yeah, so there's kind ofmultiple aspects to to the
product right and to like ansspm in general and starting
from from really the bottom istypically speaking for um,
getting getting your customerwho has, let's say, a salesforce
organization, right.
So you're going to connect overapi using like awath or even
(15:59):
like certificate-basedauthentication depends on the
platform they could.
The customer will have createdan integration account for app
omni so that integration accounthas the necessary roles for us
to access various kinds of datayou know, and so we then start
to ingest anything securityrelated from a metadata
(16:20):
perspective.
So when I say like a metadataperspective, we are not going to
be pulling in like passwordhashes, that kind of stuff over
API.
We start to pull into ourplatform things such as like
role-based access controls, anyconfiguration settings related
to security, audit logs, accesslogs, like those kind of things
We'll even pull in.
In some cases we can even pullin like code components and
(16:43):
analyze those.
So it really depends on theplatform.
But generally speaking, interms of connecting over OAuth
or similar form of secureauthentication, and we're
ingesting those over eitherexisting out of the box APIs the
platform provides or, in somecases, if the data, for example,
with NetSuite.
In the past, they weren'texposing third-party
applications over APIs, so wehad to deploy custom APIs on our
(17:06):
customers' environments, theirNetSuite environments, that
would expose that informationfor us.
So, once we have ingested allthat information, the first
thing that you're really getting, without anything else
happening, is a single pane ofglass like eagle eye view of
your entire platform from asecurity perspective, because
we're consolidating all of thesesecurity controls and your user
(17:29):
role assignments and all ofthese things your access
controls effectively onto like acouple of pages, right, as
opposed to, or even just acouple of tabs as opposed to, as
you said.
You're like, okay, permissionsets, click profiles, and you're
trying to piece all of theaccess controls together.
So you've now got this verycomprehensive, complete
inventory of anything securityrelated on app omni.
(17:51):
So you log into app omni or youcan interact with over api, but
, just for argument's sake, youlog into app omni.
You've got your uh, you've gota full inventory of anything
access control related.
You've got your audit logsthere, right.
You've got your third party appconnections, you've got all of
these things, and so that's theinventory piece done.
Okay, now from there is wherereally, like, the real benefit
(18:15):
of an SSPM comes in, and that'sreally where myself and like my
team come in and it's like, well, now that we have all of this
metadata, let's start analyzingit and servicing the issues to
our customers.
So, using what we call App OmniInsights, which is just, these
are just continuous scans thatwe do against this data, we
(18:36):
surface varying problems, right,like, okay, it could be as
basic as you've got too manyadministrators, you've got no
access controls on thisSalesforce object or you've got
externally exposed data here,and so what we were doing there
is we're becoming your SaaSexperts, like we were SaaS
experts, so you don't have to be.
(18:56):
We can tell you what the risksare.
All you need to do is look atthe findings, click on them.
We provide their mediationguidance and you can just go in
and make those changes yourself.
So we're performing all thesevery, very complex scans against
this data.
You've also got the kind ofmonitoring piece right,
monitoring and alerting which iswe're ingesting all of those
(19:18):
access logs, and we've got rulesets that could be out of the
box when you have App Omni couldbe varying rule sets that you
want to apply or install that weprovide to you, and those rules
will run against your auditlogs and we also normalize all
of our audit logs.
(19:38):
So if you've got Salesforceconnected, you've got ServiceNow
, you've got all these platforms, we normalize that into a very
consistent format.
So straight away, that's amassive benefit because we
ingest it and we can dump thatnormalized format into your SIEM
like Splunk.
But when it comes to the actualalerting piece, we know what to
look for, we know what'ssuspicious, so we can say, hey,
there's a credential springattack going on right now.
(20:01):
You need to look at this andservice those alerts to our
customers so they can be awareof potential attacks or
suspicious activity and thenthey have the information needed
to take action on it.
And that's really the simplestway I can put it.
When it comes to app on an SSPM, where just connecting to your
instance over a secureauthentication method, you grant
(20:24):
us the permissions that we needto interrogate the kind of
security metadata, we pull thosein and we give you an inventory
of all your security relatedcomponents and then perform a
lot of complex analysis on thosevarious access control
components, components yeah, itmakes sense.
Speaker 2 (20:41):
It's helpful to kind of just understand.
You know how it's working underthe hood it's.
Speaker 1 (20:46):
It's an area that not not very many people like focus
on you know it's, which is amassive, massive shame, because
I'll give you I'll give you anexample of of really how how
dangerous it can be when youmisconfigure access controls.
And so a lot of my researchthat I've done in the past is
related to data exposure, sosensitive data being exposed to
(21:09):
the public internet, socompletely unauthenticated.
That's kind of my wheelhouse.
And the thing about sasplatforms that differ from pen
testing, custom, you know,in-house built applications.
If you're doing a pen test on acustom app, right, it's got its
own implementation for APIs andall these things, so that when
you go and do another pen testagainst a different client,
(21:30):
they're going to have acompletely different set of
features in their product andAPIs and access control and
things like that.
So if you're an attacker, youhave to, like, learn every,
every little application systemand figure out how to get in
that way, which is very timeconsuming, whereas SaaS, the
benefit to an attacker is thatall of the core components for
(21:52):
Salesforce, for example, acrossall Salesforce customers are the
same right, so they've got thesame APIs built in out of the
box.
So in the past I have foundcases in which with Salesforce,
with ServiceNow, with NetSuite,with Microsoft Power Platform as
well.
If you misconfigure accesscontrols to accidentally imply
(22:15):
that unauthenticated individualscan see your data, there are
these, in 80% of cases,undocumented, out-of-the-box
APIs that are accessible fromthe outside world, from the
public internet, where you canstart to pull that data.
So if you're an attacker, youcan interrogate a SaaS platform
like Salesforce and say okay,I'm going to try and extract
(22:37):
data from every single object ortable it's telling me is
available and try to exfiltratesensitive data that way.
And the reason this is soimportant and why it's so
lucrative to attackers isbecause, as I mentioned, those
core API components that allowyou to exfiltrate data will
exist on every single SaaScustomer of that platform.
(22:59):
So if you want to attackSalesforce and attempt data
exfiltration, you can write ascript that will just query
every live Salesforce instanceand it'll send the same queries
effectively, right, and you cando it really at scale.
So that's why the book manypeople love it so much, because
they're like oh, I don't have tolearn anything new, I just
point a script at a salesforceinstance and point the same one
(23:20):
at another one and try and likefind some some data exposed.
It's lucrative, you know, wow,but that's why it's it's such a
shame that companies aren'tpaying as much attention to sas,
because, one, you've got all ofthat complex under the hood
like undocumented api stuffgoing on that you may not know
about, and, two, it's like whereit's where your most sensitive
(23:43):
data lives, you know.
That kind of brings me into theresearch paper that I released
last month and that was focusingon Salesforce Industry Cloud.
Well, salesforce Industry Cloud, I should say it's plural, it's
kind of an umbrella term.
So, to give you the background,I think it was 2014,.
A company called Velocity werebuilding these like Salesforce
(24:05):
packages, right?
So there were these bundles ofcode components that their
Salesforce customers couldinstall and it was providing
them with pre-built, likelow-code solutions for their
industry.
So, if your customer was inhealthcare, there was one for
healthcare and it allowed you tobuild like workflows that were
specific to healthcare and, likeyou know, healthcare portals.
(24:28):
And I just made all that very,very easy because it was all low
code.
And then I believe it was 2020or 2021.
Salesforce looked at that andsaid, hey, we love what you're
doing, so we're going to buy you.
So they bought the company andthe solution and said we're
going to redo this a little bit,because you're doing everything
from these code packages andthat doesn't work very nicely
with the existing components onthe platform.
(24:50):
So we're going to take yoursolution and we're going to
actually bake it into the coreplatform and now it can interact
with things a little cleaner.
And that's where industryclouds are.
Today, industry clouds encompass11 different clouds, so you've
got like public sector solutions, I believe there's an
(25:10):
automotive cloud, there's ahealth cloud, financial services
cloud all targeting specificindustries and so if you're a
salesforce shop and you are likea pharmaceutical company,
you'll purchase HealthCloud togive you all these pre-built
solutions related to healthcare.
And so my research was focusingon potential misconfigurations
(25:34):
and even vulnerabilities thatexist within all these industry
clouds.
So I was looking at the actualunderlying technology that was
powering these 11 clouds.
So it wasn't focusing on healthcloud or anything like that.
I was focusing on theunderlying engine, so that every
issue I found applied to all ofthem.
And so what I did was and thereason I actually even started
(25:54):
doing this was because at Bumney, you know, we've got nearly a
third of our customers using oneof these industry clouds.
They're so widely adopted, youknow, and so that was kind of
the catalyst to me even doingthe research in the first place,
and so what I did was I wasanalyzing all the different
feature sets and access controlimplementations, everything,
every security relevant aspectof the underlying engine
(26:17):
powering these industry clouds,and I was documenting everything
that I was seeing.
And I was also working with oursecurity contacts over at
Salesforce as I was doing this.
So, as I was going along andadding more things, adding more
findings, I was communicating itwith them and saying, hey, this
is interesting.
What do you think?
Is this something you shouldharden?
If so, well, here's my thoughtson how to harden it.
(26:39):
It was a very collaborativeeffort because we partnered very
closely with Salesforce, andthe takeaway from my research
was that, out of 20 findings,five of them were considered CVE
worthy right Zero days, so tospeak, things that the customer
couldn't really, for the mostpart, can't really fix
themselves, and that's thatshared responsibility model
(27:00):
we're talking about.
So, for example, one of theseitems that was assigned to CVE
was an authorization bypass, sothat wasn't fixable by a
customer, so Salesforce had totake that on.
And then the other 15 itemsthat I found were things that
were.
The other 15 items that I foundwere things that were labeled
as potential misconfigurations,and so these are those items I
(27:29):
was talking about, where ifyou're a customer developing
something on an industry cloudand using one of their features,
if you don't configure it withsecurity in mind, it would fall
into the bucket of a potentialmisconfiguration.
So these are kind of like bestpractices for industry cloud
customers.
And so I released like a 53-pagewhite paper that goes really
(27:50):
deep into each and every finding.
So I talk about like I givelike an overview of every
finding, I give like a proof ofconcept technically.
I give like an overview ofevery finding.
I give like a proof of concepttechnically because, as a
security practitioner, I wouldwant to know like how would an
attacker even do this?
Are you just like telling methat this is an issue?
So it gives you like a fullsetup.
So here's how to set this upproof of concept, how to fix it,
(28:13):
the risk, all of that, which iswhy it's 53 pages.
And we released that inaccordance with Salesforce.
We gave Salesforce enough timeto kind of roll out those CVEs
and the patches and, once theircustomers were given sufficient
time, to install updatedpackages and things like that
(28:35):
and address those concerns.
We released the research paperand Salesforce, in conjunction
with us, released their own blogpost accrediting us with the
research.
So the kinds of issues that Iwas finding.
When it comes to these industryclouds, they are very feature
(28:55):
specific because industry cloudshas a lot of different ways of
doing things, as it's a low codesolution right, but we're
talking about things likebypassing encryption controls.
So, for example, if you've gotan industry cloud kind of low
code component accessing somedata and it's encrypted,
normally you shouldn't be ableto see that, but there are
workarounds in order to actuallysee the plain text values.
(29:17):
There are ways of bypassing,like field level security, so
it's like maybe someoneinternally shouldn't be able to
see how much everyone is making,but they should be able to see
their list of stuff or whatever.
You could bypass that fieldlevel access control on that
salary field and see that data.
There was like a myriad ofissues.
There was issues related tocaching in which you could
(29:39):
bypass or you could actuallyreceive the data meant for
another user.
So it was a really weird onewhere you could build this kind
of low code component inIndustry Cloud that would fetch
some record data and once youexecute that component to give
you the data.
If you had misconfigured yourcaching mechanism in Industry
Clouds, the person who thenmakes the same query but has
(30:02):
different levels of access willget your results.
So if you're the first personyou're an admin you're kind of
screwed because someoneauthenticated guy over there
made the same query and just gotyour results.
So there are tons of reallyreally interesting findings that
really span across like a tonof different categories, like
the encryption related stuff.
You've got authorizationbypasses, you've got caching
(30:24):
related issues.
So it was a really, reallyinteresting product to research.
We've, most importantly as well, during that research process
as I was finding these items, wewere releasing the actual
automated scanning within ourproduct for our customers,
because our customer security isour priority first.
(30:46):
So if you're an App Omnicustomer during this research,
we were rolling out the scanslong before the research was
published.
So that's kind of like aholistic view of what the
research was and the kind ofareas that it delved into, but
it was really really fruitful.
Extremely high risk findings.
You got some zero days in thereand a massive, massive blast
radius right.
As I said, nearly a third ofour customers, our Salesforce
(31:10):
customers are using one of theseindustry clouds.
So if that's any representationof what, like the non-App Omni
customers are like, then it's aton of organizations that are
potentially affected.
Speaker 2 (31:19):
Wow, that's really fascinating and quite impressive
.
Honestly, how does that evenhappen?
I mean, I don't want to put youon the spot, right, but how
does that even happen internallyat a company like Salesforce,
right?
I would think, salesforce beingthe behemoth that it is in the
(31:40):
industry, that it would have apretty robust, you know, like
internal pen testing team thatwill be looking at it from the
outside like a researcher likeyourself would right and trying
to pull this stuff apart.
How does that even happen wherethis is going on unfound,
undetected, at their side?
Speaker 1 (31:58):
Yeah, so when we look at the CVEs specifically like
the zero days, because that'sreally like their responsibility
for finding, well, put it thisway, so you're Salesforce and
you purchase all of these littlebundle code components from
Velocity, right, number one youdon't necessarily have you've
(32:20):
got Salesforce all the securityyou've got in Salesforce, have
Salesforce security experience.
Naturally, right, it's part andparcel, but they didn't write
this code.
They don't really necessarilyknow how it's supposed to work
or what it's really doing, andso it's like, okay, well, we
need expertise for all theseVelocity bundles.
I don't know how many folksfrom folks from velocity went to
Salesforce and then stayedthere, and so I think what
(32:43):
happened was there was maybe alack of that kind of domain
expertise in what they purchasedand in addition to that, they
were trying to really rapidlyconvert these code bundles and
inject them into the coreplatform as well, and so it's a
(33:07):
combination of all of thesethings that these security
issues can go and notice.
I don't know what the velocityof what that organization had
said to Salesforce.
Right, they could have saidlike, hey, we do pentests every
week, we do all of these variousthings Like we've got, we
adhere to all these complianceframeworks.
So I don't know what kind ofwent down, but ultimately I just
(33:27):
think it's an acquisition andit just slipped under the radar
and they just maybe didn't havethe domain expertise, expertise
to tackle and hunt for, hunt forthose issues.
Um, it's very, very typicalwhen it comes to acquisitions
because you're trying to likeport in all this technology and
you're kind of afraid to touchit because it's like all right,
we just spent a ton of money onbuying this, so let's not break
the the core functionality ofwhat we just just bought yeah,
(33:50):
yeah, I I was working for acredit bureau when they went and
purchased another, like likeanother you know competitor or
whatever it was, and it was aninsane deal.
Speaker 2 (34:01):
But security was basically the part that was
holding up you know, the dealgetting done.
And it's because I don't thinkthat it was another credit
bureau that we bought, but itwas like very close, we're like
they had the exact same data andit just made a lot of business
sense to purchase them.
But at the same time, right,our CISO and our directors were
(34:21):
kind of juggling with the factthat, like, hey, we can't do an
in-depth, you know analysis ofthis code and the products and
everything, because we're goingto be incorporating them into
our offering.
Like, we can't wait three years.
Right, it's got to be done in12 months, you know like.
And even then it's going alittle bit slow for us.
(34:42):
And so it was a risk.
It was a real risk and I thinkit probably still is a real risk
, because it was a great enoughrisk to where they didn't lay
off anyone at that other company.
They were like, yeah, you guysare doing your own thing, you're
fine, keep it going Right.
Like, didn't lay off anyonehired more people for them.
They actually kept theirnetwork completely separate.
(35:03):
You know like it was such a bigdeal that I had to buy like
additional instances of mysecurity tools to deploy in
their environment.
It was a completely separatething.
You know, because, like it said, the same name you know on the
on the logo, right, but it waslike that is a totally different
.
Speaker 1 (35:21):
You know can of worms , right yeah, I've seen I've
seen some of um, some rarecustomers use up omni for m&a
for that exact use case of like,hey, we're looking to kind of
buy this, so we're going to wantto hook up all their stuff to
see are we taking a huge risk on?
Do things need to be reassessedfrom a security perspective?
(35:41):
What's really the securityposture of this organization
from a SaaS security perspective?
Speaker 2 (35:47):
I feel like that is a side of security that obviously
isn't thought about a whole lot, I mean in conjunction,
obviously, with SaaS security,like we were just talking about.
But you know, when you're goingto go and buy another company
and you're planning onintegrating that product
offering tightly into your ownproduct offering, I mean it only
(36:07):
makes sense to you know, go toyour vendors and say, hey, like
can we do like a 30 or a 45 daytrial for this other environment
over here?
We're going to buy them.
You know we'll pay you acertain amount or whatever to do
it Right, Because how else areyou going to, like get that
information?
You're not going to get thatinformation, even if you do.
You know interviews with, liketheir internal you know pen
(36:28):
testing team or their internalblue teams or whatever it might
be.
Like, you know, at the end ofthe day day, if I want you to
know something and I want tohide it, if I don't want you to
know something right, I'll hideit a whole lot of different ways
risk the, and there's billionsof dollars on the line yeah for
sure.
Speaker 1 (36:45):
I mean I'm not gonna say I would do the same thing,
but like I get it, I get itright.
Yeah, it makes, it makes a tonof sense.
And, to be fair, I mean it wasonly like, um, like a year ago I
think, or around that time,when I found out that, like this
was a use case for app omni andI was like, oh, that makes an
absolute ton of sense.
I don't know why I neverthought about that aspect of of
(37:06):
security.
Um, yeah, it's, it's, it's very, very interesting and it kind
of just uh ties in very, verynicely with this, this kind of
uh topic with the velocity thing, because that could be very
well what had happened?
Right, they didn't necessarilymaybe even know what they were
getting themselves into, but itlooks like it kind of played out
very nicely for them because,as I said, the adoption of
(37:26):
industry clouds is absolutelyhuge.
So I think five zero days,reported in a responsible manner
, is probably worth the hundredsof millions, billions, that
industry clouds is making them.
Speaker 2 (37:38):
Right, Wow, Five zero days.
I mean, have you ever seensomething like that?
Have you ever put anythingtogether?
You know of that scale before.
Speaker 1 (37:47):
I haven't ever completed, I've never really
done a full kind of productanalysis.
Now, again, it's a productbuilt on a product, a product
right.
So this is kind of the first ofits kind.
Um, for for me I'm doing like aholistic security assessment of
the potential risks and alsozero days.
Um, and it was.
(38:07):
It was super fun and, honestly,like it took months to put
together, but it was only meantto take a couple of weeks.
And what happened is I'd findlike maybe at first I found like
five really cool things.
I'd be like maybe at first Ifound like five really cool
things.
I'd be like, okay, I'm done,now I'm gonna put the white
paper together and I'd see likeone little button.
I'm like what does that do?
And I'd click it and all of asudden the security shuts off or
something.
And so I kept finding things andI was like I just need to stop
(38:30):
looking at this product so thatI can actually get around to to
writing the research and gettingthese things over to Salesforce
so they can see if they're zerodays or not.
But I mean, when it comes to,have I seen that amount of zero
days in one thing?
Fortinet has like a zero daydropped against it every five
seconds, so I don't think itcompetes to Fortinet, but yeah,
(38:53):
it was very, very fruitful.
It's great to produce a bit ofresearch that not only benefits
our customers, obviously, but atthe overall, like salesforce
community, by identifying thesepotential foot guns and
configurations and telling themhow to address it, but also
helping at the vendor.
I'm being like hey, here's somezero days as well, so it's kind
of win-win for everyone andit's it's played out really
(39:15):
nicely so.
Speaker 2 (39:17):
So when you're handed this task, right, where do you
start?
Because it just sounds like amonumental task and I'm not even
sure that I would know you knowwhere to start.
Are you just working throughthe basic functionality right of
this product offering and justiterating through it Like okay,
(39:37):
well, what if I do this overhere?
What do I get?
You know that sort of thing.
Speaker 1 (39:42):
Yeah, and this is why it took so many months, because
it's a behemoth of a task,right and how.
I always, always when it comesto SaaS in general.
How I approach theseassessments, you could say, is I
don't think like a securityperson 100% of the time.
Honestly, for the first coupleof weeks, or for the bulk of the
time at the beginning, I thinklike a platform administrator.
(40:06):
I think of okay, how can Ibuild this?
What are the configurations?
How am I able to expose thisand do this?
And I think as if I'm trying toactually do something with the
technology.
And as you kind of put thatinto practice and start building
some things, that's when youbegin to notice things, because
that kind of securitypractitioner in your
subconscious doesn't turn off.
(40:26):
So you'll see something likethat's kind of suspicious.
And because of that approach ofgetting holistic knowledge of
the platform and all of itsfeatures as an admin, you know,
in an admin mindset, you're somuch better equipped from a
security perspective because youknow the interoperability of
these various features.
You know what's kind of workingwith what and you'll see.
You'll start seeing somepatterns as well.
(40:48):
So I really just approach itlike a system admin and get a
great understanding of thesolution or technology
holistically.
I get a good inventory of likerelevant controls, a good
understanding of the use cases,of the various features and
various components you can build.
And then, once I have that kindof holistic knowledge, I start
to interrogate these featureskind of one by one, you know,
(41:09):
from a security mindset, andI'll start to like toggle off
the configuration settings andplay around with that kind of
stuff as well.
So that's generally how I wouldrecommend anyone Like if you're
even internally in anorganization want to pen test
your organization's like servicenow or workday or whatever it
is like, your best resource isgoing to be the administrator of
(41:30):
that platform.
It's going to be the guy or girlwho's literally living on that
platform every day.
Right, like that is who youshould pair with, because that's
where you're getting yourdomain expertise and knowing
where to look, because they knowwhere the data is, they know
how the platform generallyoperates, and then you can apply
your security expertise andstart to actually interrogate
things and I personallyguarantee you will have far much
(41:54):
more success, right, having atleast that pairing with someone
that has that knowledge of theplatform.
You'll get much better resultsand far more findings that way.
Now, fortunately, I have to beboth as a security researcher,
I've got to do both.
I've got no service or admin topair with, so I am the service
or admin and the securityresearcher in my case.
Yeah, that's generally myapproach, my recommendation to
(42:16):
organizations that want to do alittle, either security research
into SaaS platforms or ifthey're conducting their own
internal hand tests.
Speaker 2 (42:24):
Yeah, it's fascinating to hear you talk
about it like that, becauseearly on in my career, when I
was trying to get into security,I kind of approached it from
that angle.
Actually, I was looking at ithow my customer is using this
platform, how I'm using thisplatform, and then in the back
end I'm actually, you know,tailing various logs and I'm
(42:47):
looking through seeing what it'sdoing and I mean that really
helped me build a really strong,just security foundation
overall, really strong, justsecurity foundation overall,
something I haven't thoughtabout in forever, right, because
it was so long ago, but it'sjust.
You know, it's fascinating tobreak down that mindset because
that helps a lot of people startto like think through it, like,
(43:07):
oh okay, that's where I wouldstart with it.
Speaker 1 (43:09):
And you know, I I always tell people, if you can
envision it, it's a whole loteasier to actually actually
accomplish it, you know yeah,yeah, it takes if you're, if
you're someone who is atraditional like pen tester kind
of red teamy individual, likeit does have to be a mindset
shift to get the the best buyingfor your book out of these
assessments.
And even when I joined up omni,you know I was coming from a
(43:30):
very heavy like securityengineering background and so I
had to.
It took honestly probably sixmonths to a year to kind of get
into the swing of how to evenstart looking at these platforms
in a different light, and alight that would serve me far
better when I'm kind of huntingfor things.
Speaker 2 (43:49):
Well, aaron, before I let you go, how about you tell
my audience you know where theycan find you, where they can
find AppOmni and where they canfind that really interesting
research paper?
If they wanted to read it, readthrough it.
Speaker 1 (43:59):
Yeah, absolutely so.
You can find me on LinkedInunder Aaron Costello or Twitter
at Conspiracy Proof all one word.
Actually, you can find AppOmniat appomnicom.
Got a ton of resources there.
Most interestingly to youraudience would be the AO Labs
(44:19):
little section of the AppOmniblog.
That's where you'll find theIndustry Clouds research.
It's where you'll find,historically, all the research
that I've been doing into SaaSsecurity.
So AppOmnicom and check out theAO Labs section and you'll have
all the resources that you needthere.
Speaker 2 (44:35):
Awesome.
Well, all the links will be inthe description of this video.
Thanks again, aaron, and I hopeeveryone watching really
enjoyed this podcast.
All right, thanks everyone.
How's it?
Speaker 2 (00:00):
going.
Aaron, it's great to get you onthe podcast.
It's been a few months.
It's been like what?
Six months probably at thispoint, since you were last on, I
believe.
So, yeah, it's great to be back, but I felt like we had so much
(00:22):
more to talk about that wecould absolutely have you back
on sooner.
So I appreciate you coming backon and we're going to talk
about everything SaaS, security,salesforce there's a new
Salesforce report out that we'regoing to dive into, so I'm
definitely excited for ourconversation.
Speaker 1 (00:39):
Yeah, me too.
Speaker 2 (00:40):
It's an absolute pleasure to be back.
Yeah, yeah, yeah, me too, it'san absolute pleasure to be back,
yeah, yeah.
So, aaron, you know why don'tyou?
You know, maybe just refresh myaudience's, you know, memory of
your Qwik background, right,just you know what's your
specialty?
Speaker 1 (00:54):
that sort of thing.
Yeah, absolutely so.
I'm the chief of SaaS securityresearch at AppOmni, so my niche
is in SaaS security, as alludedto in my title.
So specifically focusing on theSaaS platforms that are
powering the enterprise globallyso if you're not familiar,
that's what those are we'retalking about Salesforce,
servicenow, oracle, netsuite,workday those cloud systems is
(01:18):
what I kind of focus on, andreally my specialty area is in
identifying misconfigurations orpotential for customers to
misconfigure these platforms ina way that reduces their
security posture.
So I do a lot of zero-day kindof research, but it's mostly
figuring out and identifying ifa customer regresses in some
(01:40):
access control or if they enablesome configuration, how is that
reducing the overall securityof their environment and how
could that be exploited by anattacker?
Speaker 2 (01:49):
Yeah, it's interesting because, you know, I
feel like there's still anotion of SaaS apps being like a
very highly secure you knowpath forward, right, and I feel
like people that don't reallylook into it, that aren't that
aren't security experts in thefield, it's difficult for them
to grasp that Because you'reputting all of your trust in
(02:12):
this application that you'reusing every single day for the
most part.
I mean like Salesforce, forinstance.
What company doesn't haveSalesforce and what company is
also looking at Salesforce froma security risk perspective?
Right?
Like I was working for a largeautomotive manufacturer, you
know, based out of Germany, soyou can narrow it down right
(02:33):
there to three.
Right, and they have a giant,giant Salesforce presence right,
globally, because whateverGermany buys, the rest of the
globe is going to, you know,take and deploy and everything
else.
Right, because Germany is overthere negotiating these insane
deals with vendors and, you know, a year in a year into this
(02:54):
role, you know, my CISO says, ohhey, you know you should go
look at Salesforce.
Like we don't know what's goingon over there.
What are you talking about?
We don't know what's going onover there.
What are you talking about?
We don't know what's going onover there and I found out I
mean 20% of what the securityteam knew about Salesforce was
completely wrong or they onlyknew about 20% of what was going
(03:17):
on.
Speaker 1 (03:17):
Yeah, that is extremely, extremely typical.
Generally, what we see is thatsecurity folks within an
organization are forgetting whatthe shared responsibility model
is, and so they have thispreconceived notion that it's
like, well, it's on Salesforceto secure Salesforce right, and
it's like, well, not, it's notthat clear cut, because
Salesforce is responsible forthe security of their software.
(03:40):
It's proprietary software.
So if you've like a sqlinjection out of the box that,
like the second you buy, asalesforce instance is there,
then it's like, yeah, that's onon them to fix.
So that's, that's their jobfrom a security perspective.
What isn't their job ismonitoring and auditing
(04:01):
configurations that you, as acustomer, and customizations
that you make on the platform.
And this isn't just Salesforce,it's across the board right For
ServiceNow, all these differentSaaS platforms.
If you decide that you want todelete every access control, you
can do that.
That's what makes theseplatforms so powerful and also,
funnily enough, so popular isthey're so customizable.
(04:23):
It's like, hey, here's theplatform.
It can do all these amazingthings and you can build so much
on it.
You don't like our APIs.
You can build your own APIs andyou can do whatever you want,
and it's fantastic.
But it's not the vendor's jobto secure those APIs for you,
right, they don't know what youruse case is.
They're not going to do any ofthat.
(04:51):
So it's on the depending on whoyou ask could be on the platform
administrators the guy who'sgot the system admin account on
sales forest, who's logging inevery day, could be their job.
Could be the job of the actuallike red teams right to kind of
get up to up to scratch with theum like access control model of
of these sas platforms and dotheir routine pen tests and
things like that.
There's also a bit ofresponsibility on the developers
(05:11):
within these organizations.
So if you've got a very bigSalesforce presence, you've
probably got people writing codeon Salesforce because they have
that on these platforms.
They've got their own languageseffectively and by writing code
you can introduce securityvulnerabilities there.
So, depending on theorganization, the security of
your platform, it could fall onone person, it could fall on
(05:33):
multiple teams across differentdepartments.
It really does depend.
But ultimately mostorganizations aren't even
necessarily getting that far.
They're not even getting as faras like.
Well, who should we task withsecuring our SaaS platforms?
It's more so.
Yeah, it's the vendor.
I feel like, as the past coupleof years have gone by, where
attackers are now focusing ahell of a lot more on SaaS
(05:54):
platforms because of the verysensitive nature of the data
being stored there, that it'sbeen a bit of a wake-up call to
the internal security orgs beinglike oh, we should really have
visibility into what's going onin these platforms.
Speaker 2 (06:09):
Yeah, it's interesting.
I wanted to ask you one of therisks that you're always told
about is protecting yourselffrom proprietary storage methods
or like proprietary, you knowstorage formats of your data.
Is that even a real thing insas apps?
(06:30):
No, I feel like it's notbecause that would be such a
huge like lawsuit for these sascompanies.
You know it's like oh, I can'tpull my data out and transfer it
to somewhere else.
Speaker 1 (06:39):
You know like you know I'm not gonna point fingers
on any particular vendor,anything, but I can't speak to
how easy they make it to kind ofget off platform.
You know it is interestingbecause you do have, you know,
people on LinkedIn, thesethought leaders, saying, oh,
like everyone's now switchingback to like on prem because
it's cheaper and like all ofthese things.
(07:01):
So I mean I can't speak to howeasy it is to get the data off,
but as far as issues go, I can'tspeak to how easy it is to get
the data off but as far asissues go, I haven't heard a ton
around that I don't think it'sas big of a problem as it
necessarily was back in the day.
Speaker 2 (07:12):
Yeah, the thought leaders that are saying that
companies are moving back toon-prem, I feel like they'll be
back.
Like whenever I hear that, it'slike I feel like you're going
to be right back.
You know you guys forgot aboutthe pain of having on-prem
infrastructure, running your owndata centers and everything
Like.
That's a huge pain.
You have to have whole teamsaround that.
Speaker 1 (07:32):
Yeah, yeah, and I mean software development's
changed so massively that it'slike I'm sure the up-and-coming
generations will be like how didMark Zuckerberg build Facebook
without Kubernetes?
Without Kubernetes and likewireless functions and like
Lambda and all this stuff?
But, yeah, I think, I thinkSaaS is never.
It's never going to go away,right?
(07:53):
Yeah, I've heard ramblings onLinkedIn about, well, with all
of this new like AGI stuffcoming in, like why do we really
need SaaS platforms anymore?
However, these SaaS platformsare actually building their own
AI, right, in terms of you gotlike AgentForce or Salesforce
and they're moving with thetimes and the unique thing about
(08:16):
them doing that and what makesthat so powerful and what will
keep customers on thoseplatforms is that those agents
have domain knowledge, right,and that's the key
differentiator like agent forcebeing on the platform has domain
knowledge like that's itdoesn't apply off platform for
other AGI.
So that's another thing tothink about.
I think we're in an interestingtime where there's being just a
(08:38):
massive shift and howorganizations are looking at
SaaS and their usage of SaaS,especially incorporating, as I
said, like AI into that.
But when it comes to overallsecurity, I think it could be
forgotten about a little bit.
Everyone's focusing on like domore with AI, we'll do more.
And it's like, well, you stillhave a platform to protect,
right?
And ultimately, all you'redoing is, yeah, you're getting a
(09:01):
whole host of benefits byutilizing AI, but at the same
time, you're also introducinganother attack vector.
So if, again, you are notputting security at the
forefront of your mind whenbuilding these agents and
granting access controls tothese agents on your SaaS
platforms, it's going to be abad time for sure.
Speaker 2 (09:23):
Yeah, so why don't we kind of circle back to what
agentic AI agents are?
I feel like that's such a newterm that a lot of people may
not even realize what it is, andwe're already interacting with
it.
Speaker 1 (09:36):
Yeah, well, are you talking about like in respect to
, to, to SaaS?
or yeah, just talking about youknow, like Salesforce's solution
that you just mentionedno-transcript, effectively, is
(10:31):
going to break down what you'reasking for into like subtasks,
right?
So if you've got, for example,like a high level task, like hey
, I need you to within anorganization, I need you to kind
of balance, like the inventoryof my, my stock, whatever else,
it'll look at that and it willthen be like, okay, here's what
I need to do.
I need to break it down intoall of these steps in order to
(10:54):
fulfill this kind of, I guess,task execution.
So it's effectively runningwith like zero human oversight.
Generative AI, like you, hadhuman oversight for each output
that the generative AI wasgiving you, whereas with agentic
AI, you're going run with thisand you might give it a little
(11:15):
bit of exception, handlingguidance, like oh, if
something's wrong, do this.
But generally those are thebiggest differences.
Agentic AI's main focus is thecompletion of tasks with a
high-level, prompt and verylittle human oversight with
(11:37):
respect to what it gives back toyou, and that's just the
contrast to generative AI.
Speaker 2 (11:43):
Okay, that makes sense.
So where do you start withsecuring something like that?
Speaker 1 (11:48):
Yeah, yeah, well, it depends.
I can't really speak to SaaSplatforms, right, because that's
where my expertise lies, butwhen we're looking at, you've
got an agentic AI agent, right,and you want it to fulfill some
tasks, such as, like, maybe youhave a customer that wants to
(12:08):
file a case, just some issue,and so the agenda guy needs to
first look at the problem,assess the priority, the impact,
file it in the necessary placeand assign it to the necessary
people, and in order to do that,it needs to have some level of
access right To those places inthe platform.
(12:31):
Right, it needs to be able tosee okay, who can I assign this
to?
Who are these people internally?
What's their function?
Are they relevant to finding asolution for this case?
They need to be able to createand write data, because they
need to put the case ticketinformation somewhere.
And so the first place that Iwould be looking at is the
access controls that you aregiving this agent.
(12:52):
It needs to be completelyminimal with respect to least
privilege, and that comes backto the whole zero trust model,
like operating with completeleast privilege, because the
last thing that you want is anoverprivileged AI agent that
gets some prompt injection right, gets tricked by a malicious
actor into fetching someunrelated information like PII
(13:17):
or something, and that can onlyhappen when it has access to
those PII records.
Right, that's really the mythof securing these agents for
SaaS.
It is enforcing these privilegefollowing that kind of zero
trust model and, as a result, bydoing that, you are minimizing
your exposure to attacks likeprompt injection.
(13:40):
You know, there's only so much.
Even in the scenario of asuccessful prompt injection
payload, there's only so much.
Even in the the scenario of asuccessful prompt injection
payload, there's only so muchthat the agent can do and so, as
a result, the blast radius andimpact is massively, massively
reduced.
Now, that being said, like I'veseen some pretty intense
implementations on platforms, onSaaS platforms, where you've
(14:01):
got like one agent communicatingwith another agent, platforms
where you've got like one agentcommunicating with another agent
, and so it's like fanning outthese tasks and it's almost like
doing its own assignment tolike other agents.
And so when you start gettingthese more complex architectures
where you've got multipleagents doing that manually, that
kind of auditing of permissionsand, you know, ensuring there's
(14:21):
no like permission drift isgoing to be a very difficult
task, right?
Because the more componentswhether it's agents, whether
it's APIs the more componentsthat you start building, the
larger your tax service gets.
So it's really important that,where possible, manually audit
the access controls on theplatform.
With respect to AI, but I wouldrecommend that, if you are an
(14:45):
enterprise organization, to getan automated monitoring and
scanning tool like AppOmnit, anSSPM that can continuously
assess the security of thoseagents.
Speaker 2 (15:00):
I have two questions, questions.
Right, I want to dive into theSalesforce report.
The other part is how doesAppOmni, you know, get that
visibility?
Because, at least from my sideright, I haven't really used a
SaaS security solution beforeI've needed to, right, and so I
only see the SaaS platform as asecurity engineer, security
(15:21):
expert, right, that's looking atthe platform from basically
like an admin perspective and Ihave to go through all these
different menus and everythingto try and piece everything
together.
How is AppOmni plugging itselfin to show, like, the hierarchy
of these agents and the securityof the platform overall?
Speaker 1 (15:38):
Yeah, yeah, so there's kind of multiple aspects
to the security of the platformoverall.
Yeah, yeah, so there's kind ofmultiple aspects to to the
product right and to like ansspm in general and starting
from from really the bottom istypically speaking for um,
getting getting your customerwho has, let's say, a salesforce
organization, right.
So you're going to connect overapi using like awath or even
(15:59):
like certificate-basedauthentication depends on the
platform they could.
The customer will have createdan integration account for app
omni so that integration accounthas the necessary roles for us
to access various kinds of datayou know, and so we then start
to ingest anything securityrelated from a metadata
(16:20):
perspective.
So when I say like a metadataperspective, we are not going to
be pulling in like passwordhashes, that kind of stuff over
API.
We start to pull into ourplatform things such as like
role-based access controls, anyconfiguration settings related
to security, audit logs, accesslogs, like those kind of things
We'll even pull in.
In some cases we can even pullin like code components and
(16:43):
analyze those.
So it really depends on theplatform.
But generally speaking, interms of connecting over OAuth
or similar form of secureauthentication, and we're
ingesting those over eitherexisting out of the box APIs the
platform provides or, in somecases, if the data, for example,
with NetSuite.
In the past, they weren'texposing third-party
applications over APIs, so wehad to deploy custom APIs on our
(17:06):
customers' environments, theirNetSuite environments, that
would expose that informationfor us.
So, once we have ingested allthat information, the first
thing that you're really getting, without anything else
happening, is a single pane ofglass like eagle eye view of
your entire platform from asecurity perspective, because
we're consolidating all of thesesecurity controls and your user
(17:29):
role assignments and all ofthese things your access
controls effectively onto like acouple of pages, right, as
opposed to, or even just acouple of tabs as opposed to, as
you said.
You're like, okay, permissionsets, click profiles, and you're
trying to piece all of theaccess controls together.
So you've now got this verycomprehensive, complete
inventory of anything securityrelated on app omni.
(17:51):
So you log into app omni or youcan interact with over api, but
, just for argument's sake, youlog into app omni.
You've got your uh, you've gota full inventory of anything
access control related.
You've got your audit logsthere, right.
You've got your third party appconnections, you've got all of
these things, and so that's theinventory piece done.
Okay, now from there is wherereally, like, the real benefit
(18:15):
of an SSPM comes in, and that'sreally where myself and like my
team come in and it's like, well, now that we have all of this
metadata, let's start analyzingit and servicing the issues to
our customers.
So, using what we call App OmniInsights, which is just, these
are just continuous scans thatwe do against this data, we
(18:36):
surface varying problems, right,like, okay, it could be as
basic as you've got too manyadministrators, you've got no
access controls on thisSalesforce object or you've got
externally exposed data here,and so what we were doing there
is we're becoming your SaaSexperts, like we were SaaS
experts, so you don't have to be.
(18:56):
We can tell you what the risksare.
All you need to do is look atthe findings, click on them.
We provide their mediationguidance and you can just go in
and make those changes yourself.
So we're performing all thesevery, very complex scans against
this data.
You've also got the kind ofmonitoring piece right,
monitoring and alerting which iswe're ingesting all of those
(19:18):
access logs, and we've got rulesets that could be out of the
box when you have App Omni couldbe varying rule sets that you
want to apply or install that weprovide to you, and those rules
will run against your auditlogs and we also normalize all
of our audit logs.
(19:38):
So if you've got Salesforceconnected, you've got ServiceNow
, you've got all these platforms, we normalize that into a very
consistent format.
So straight away, that's amassive benefit because we
ingest it and we can dump thatnormalized format into your SIEM
like Splunk.
But when it comes to the actualalerting piece, we know what to
look for, we know what'ssuspicious, so we can say, hey,
there's a credential springattack going on right now.
(20:01):
You need to look at this andservice those alerts to our
customers so they can be awareof potential attacks or
suspicious activity and thenthey have the information needed
to take action on it.
And that's really the simplestway I can put it.
When it comes to app on an SSPM, where just connecting to your
instance over a secureauthentication method, you grant
(20:24):
us the permissions that we needto interrogate the kind of
security metadata, we pull thosein and we give you an inventory
of all your security relatedcomponents and then perform a
lot of complex analysis on thosevarious access control
components, components yeah, itmakes sense.
Speaker 2 (20:41):
It's helpful to kind of just understand.
You know how it's working underthe hood it's.
Speaker 1 (20:46):
It's an area that not not very many people like focus
on you know it's, which is amassive, massive shame, because
I'll give you I'll give you anexample of of really how how
dangerous it can be when youmisconfigure access controls.
And so a lot of my researchthat I've done in the past is
related to data exposure, sosensitive data being exposed to
(21:09):
the public internet, socompletely unauthenticated.
That's kind of my wheelhouse.
And the thing about sasplatforms that differ from pen
testing, custom, you know,in-house built applications.
If you're doing a pen test on acustom app, right, it's got its
own implementation for APIs andall these things, so that when
you go and do another pen testagainst a different client,
(21:30):
they're going to have acompletely different set of
features in their product andAPIs and access control and
things like that.
So if you're an attacker, youhave to, like, learn every,
every little application systemand figure out how to get in
that way, which is very timeconsuming, whereas SaaS, the
benefit to an attacker is thatall of the core components for
(21:52):
Salesforce, for example, acrossall Salesforce customers are the
same right, so they've got thesame APIs built in out of the
box.
So in the past I have foundcases in which with Salesforce,
with ServiceNow, with NetSuite,with Microsoft Power Platform as
well.
If you misconfigure accesscontrols to accidentally imply
(22:15):
that unauthenticated individualscan see your data, there are
these, in 80% of cases,undocumented, out-of-the-box
APIs that are accessible fromthe outside world, from the
public internet, where you canstart to pull that data.
So if you're an attacker, youcan interrogate a SaaS platform
like Salesforce and say okay,I'm going to try and extract
(22:37):
data from every single object ortable it's telling me is
available and try to exfiltratesensitive data that way.
And the reason this is soimportant and why it's so
lucrative to attackers isbecause, as I mentioned, those
core API components that allowyou to exfiltrate data will
exist on every single SaaScustomer of that platform.
(22:59):
So if you want to attackSalesforce and attempt data
exfiltration, you can write ascript that will just query
every live Salesforce instanceand it'll send the same queries
effectively, right, and you cando it really at scale.
So that's why the book manypeople love it so much, because
they're like oh, I don't have tolearn anything new, I just
point a script at a salesforceinstance and point the same one
(23:20):
at another one and try and likefind some some data exposed.
It's lucrative, you know, wow,but that's why it's it's such a
shame that companies aren'tpaying as much attention to sas,
because, one, you've got all ofthat complex under the hood
like undocumented api stuffgoing on that you may not know
about, and, two, it's like whereit's where your most sensitive
(23:43):
data lives, you know.
That kind of brings me into theresearch paper that I released
last month and that was focusingon Salesforce Industry Cloud.
Well, salesforce Industry Cloud, I should say it's plural, it's
kind of an umbrella term.
So, to give you the background,I think it was 2014,.
A company called Velocity werebuilding these like Salesforce
(24:05):
packages, right?
So there were these bundles ofcode components that their
Salesforce customers couldinstall and it was providing
them with pre-built, likelow-code solutions for their
industry.
So, if your customer was inhealthcare, there was one for
healthcare and it allowed you tobuild like workflows that were
specific to healthcare and, likeyou know, healthcare portals.
(24:28):
And I just made all that very,very easy because it was all low
code.
And then I believe it was 2020or 2021.
Salesforce looked at that andsaid, hey, we love what you're
doing, so we're going to buy you.
So they bought the company andthe solution and said we're
going to redo this a little bit,because you're doing everything
from these code packages andthat doesn't work very nicely
with the existing components onthe platform.
(24:50):
So we're going to take yoursolution and we're going to
actually bake it into the coreplatform and now it can interact
with things a little cleaner.
And that's where industryclouds are.
Today, industry clouds encompass11 different clouds, so you've
got like public sector solutions, I believe there's an
(25:10):
automotive cloud, there's ahealth cloud, financial services
cloud all targeting specificindustries and so if you're a
salesforce shop and you are likea pharmaceutical company,
you'll purchase HealthCloud togive you all these pre-built
solutions related to healthcare.
And so my research was focusingon potential misconfigurations
(25:34):
and even vulnerabilities thatexist within all these industry
clouds.
So I was looking at the actualunderlying technology that was
powering these 11 clouds.
So it wasn't focusing on healthcloud or anything like that.
I was focusing on theunderlying engine, so that every
issue I found applied to all ofthem.
And so what I did was and thereason I actually even started
(25:54):
doing this was because at Bumney, you know, we've got nearly a
third of our customers using oneof these industry clouds.
They're so widely adopted, youknow, and so that was kind of
the catalyst to me even doingthe research in the first place,
and so what I did was I wasanalyzing all the different
feature sets and access controlimplementations, everything,
every security relevant aspectof the underlying engine
(26:17):
powering these industry clouds,and I was documenting everything
that I was seeing.
And I was also working with oursecurity contacts over at
Salesforce as I was doing this.
So, as I was going along andadding more things, adding more
findings, I was communicating itwith them and saying, hey, this
is interesting.
What do you think?
Is this something you shouldharden?
If so, well, here's my thoughtson how to harden it.
(26:39):
It was a very collaborativeeffort because we partnered very
closely with Salesforce, andthe takeaway from my research
was that, out of 20 findings,five of them were considered CVE
worthy right Zero days, so tospeak, things that the customer
couldn't really, for the mostpart, can't really fix
themselves, and that's thatshared responsibility model
(27:00):
we're talking about.
So, for example, one of theseitems that was assigned to CVE
was an authorization bypass, sothat wasn't fixable by a
customer, so Salesforce had totake that on.
And then the other 15 itemsthat I found were things that
were.
The other 15 items that I foundwere things that were labeled
as potential misconfigurations,and so these are those items I
(27:29):
was talking about, where ifyou're a customer developing
something on an industry cloudand using one of their features,
if you don't configure it withsecurity in mind, it would fall
into the bucket of a potentialmisconfiguration.
So these are kind of like bestpractices for industry cloud
customers.
And so I released like a 53-pagewhite paper that goes really
(27:50):
deep into each and every finding.
So I talk about like I givelike an overview of every
finding, I give like a proof ofconcept technically.
I give like an overview ofevery finding.
I give like a proof of concepttechnically because, as a
security practitioner, I wouldwant to know like how would an
attacker even do this?
Are you just like telling methat this is an issue?
So it gives you like a fullsetup.
So here's how to set this upproof of concept, how to fix it,
(28:13):
the risk, all of that, which iswhy it's 53 pages.
And we released that inaccordance with Salesforce.
We gave Salesforce enough timeto kind of roll out those CVEs
and the patches and, once theircustomers were given sufficient
time, to install updatedpackages and things like that
(28:35):
and address those concerns.
We released the research paperand Salesforce, in conjunction
with us, released their own blogpost accrediting us with the
research.
So the kinds of issues that Iwas finding.
When it comes to these industryclouds, they are very feature
(28:55):
specific because industry cloudshas a lot of different ways of
doing things, as it's a low codesolution right, but we're
talking about things likebypassing encryption controls.
So, for example, if you've gotan industry cloud kind of low
code component accessing somedata and it's encrypted,
normally you shouldn't be ableto see that, but there are
workarounds in order to actuallysee the plain text values.
(29:17):
There are ways of bypassing,like field level security, so
it's like maybe someoneinternally shouldn't be able to
see how much everyone is making,but they should be able to see
their list of stuff or whatever.
You could bypass that fieldlevel access control on that
salary field and see that data.
There was like a myriad ofissues.
There was issues related tocaching in which you could
(29:39):
bypass or you could actuallyreceive the data meant for
another user.
So it was a really weird onewhere you could build this kind
of low code component inIndustry Cloud that would fetch
some record data and once youexecute that component to give
you the data.
If you had misconfigured yourcaching mechanism in Industry
Clouds, the person who thenmakes the same query but has
(30:02):
different levels of access willget your results.
So if you're the first personyou're an admin you're kind of
screwed because someoneauthenticated guy over there
made the same query and just gotyour results.
So there are tons of reallyreally interesting findings that
really span across like a tonof different categories, like
the encryption related stuff.
You've got authorizationbypasses, you've got caching
(30:24):
related issues.
So it was a really, reallyinteresting product to research.
We've, most importantly as well, during that research process
as I was finding these items, wewere releasing the actual
automated scanning within ourproduct for our customers,
because our customer security isour priority first.
(30:46):
So if you're an App Omnicustomer during this research,
we were rolling out the scanslong before the research was
published.
So that's kind of like aholistic view of what the
research was and the kind ofareas that it delved into, but
it was really really fruitful.
Extremely high risk findings.
You got some zero days in thereand a massive, massive blast
radius right.
As I said, nearly a third ofour customers, our Salesforce
(31:10):
customers are using one of theseindustry clouds.
So if that's any representationof what, like the non-App Omni
customers are like, then it's aton of organizations that are
potentially affected.
Speaker 2 (31:19):
Wow, that's really fascinating and quite impressive
.
Honestly, how does that evenhappen?
I mean, I don't want to put youon the spot, right, but how
does that even happen internallyat a company like Salesforce,
right?
I would think, salesforce beingthe behemoth that it is in the
(31:40):
industry, that it would have apretty robust, you know, like
internal pen testing team thatwill be looking at it from the
outside like a researcher likeyourself would right and trying
to pull this stuff apart.
How does that even happen wherethis is going on unfound,
undetected, at their side?
Speaker 1 (31:58):
Yeah, so when we look at the CVEs specifically like
the zero days, because that'sreally like their responsibility
for finding, well, put it thisway, so you're Salesforce and
you purchase all of these littlebundle code components from
Velocity, right, number one youdon't necessarily have you've
(32:20):
got Salesforce all the securityyou've got in Salesforce, have
Salesforce security experience.
Naturally, right, it's part andparcel, but they didn't write
this code.
They don't really necessarilyknow how it's supposed to work
or what it's really doing, andso it's like, okay, well, we
need expertise for all theseVelocity bundles.
I don't know how many folksfrom folks from velocity went to
Salesforce and then stayedthere, and so I think what
(32:43):
happened was there was maybe alack of that kind of domain
expertise in what they purchasedand in addition to that, they
were trying to really rapidlyconvert these code bundles and
inject them into the coreplatform as well, and so it's a
(33:07):
combination of all of thesethings that these security
issues can go and notice.
I don't know what the velocityof what that organization had
said to Salesforce.
Right, they could have saidlike, hey, we do pentests every
week, we do all of these variousthings Like we've got, we
adhere to all these complianceframeworks.
So I don't know what kind ofwent down, but ultimately I just
(33:27):
think it's an acquisition andit just slipped under the radar
and they just maybe didn't havethe domain expertise, expertise
to tackle and hunt for, hunt forthose issues.
Um, it's very, very typicalwhen it comes to acquisitions
because you're trying to likeport in all this technology and
you're kind of afraid to touchit because it's like all right,
we just spent a ton of money onbuying this, so let's not break
the the core functionality ofwhat we just just bought yeah,
(33:50):
yeah, I I was working for acredit bureau when they went and
purchased another, like likeanother you know competitor or
whatever it was, and it was aninsane deal.
Speaker 2 (34:01):
But security was basically the part that was
holding up you know, the dealgetting done.
And it's because I don't thinkthat it was another credit
bureau that we bought, but itwas like very close, we're like
they had the exact same data andit just made a lot of business
sense to purchase them.
But at the same time, right,our CISO and our directors were
(34:21):
kind of juggling with the factthat, like, hey, we can't do an
in-depth, you know analysis ofthis code and the products and
everything, because we're goingto be incorporating them into
our offering.
Like, we can't wait three years.
Right, it's got to be done in12 months, you know like.
And even then it's going alittle bit slow for us.
(34:42):
And so it was a risk.
It was a real risk and I thinkit probably still is a real risk
, because it was a great enoughrisk to where they didn't lay
off anyone at that other company.
They were like, yeah, you guysare doing your own thing, you're
fine, keep it going Right.
Like, didn't lay off anyonehired more people for them.
They actually kept theirnetwork completely separate.
(35:03):
You know like it was such a bigdeal that I had to buy like
additional instances of mysecurity tools to deploy in
their environment.
It was a completely separatething.
You know, because, like it said, the same name you know on the
on the logo, right, but it waslike that is a totally different
.
Speaker 1 (35:21):
You know can of worms , right yeah, I've seen I've
seen some of um, some rarecustomers use up omni for m&a
for that exact use case of like,hey, we're looking to kind of
buy this, so we're going to wantto hook up all their stuff to
see are we taking a huge risk on?
Do things need to be reassessedfrom a security perspective?
(35:41):
What's really the securityposture of this organization
from a SaaS security perspective?
Speaker 2 (35:47):
I feel like that is a side of security that obviously
isn't thought about a whole lot, I mean in conjunction,
obviously, with SaaS security,like we were just talking about.
But you know, when you're goingto go and buy another company
and you're planning onintegrating that product
offering tightly into your ownproduct offering, I mean it only
(36:07):
makes sense to you know, go toyour vendors and say, hey, like
can we do like a 30 or a 45 daytrial for this other environment
over here?
We're going to buy them.
You know we'll pay you acertain amount or whatever to do
it Right, Because how else areyou going to, like get that
information?
You're not going to get thatinformation, even if you do.
You know interviews with, liketheir internal you know pen
(36:28):
testing team or their internalblue teams or whatever it might
be.
Like, you know, at the end ofthe day day, if I want you to
know something and I want tohide it, if I don't want you to
know something right, I'll hideit a whole lot of different ways
risk the, and there's billionsof dollars on the line yeah for
sure.
Speaker 1 (36:45):
I mean I'm not gonna say I would do the same thing,
but like I get it, I get itright.
Yeah, it makes, it makes a tonof sense.
And, to be fair, I mean it wasonly like, um, like a year ago I
think, or around that time,when I found out that, like this
was a use case for app omni andI was like, oh, that makes an
absolute ton of sense.
I don't know why I neverthought about that aspect of of
(37:06):
security.
Um, yeah, it's, it's, it's very, very interesting and it kind
of just uh ties in very, verynicely with this, this kind of
uh topic with the velocity thing, because that could be very
well what had happened?
Right, they didn't necessarilymaybe even know what they were
getting themselves into, but itlooks like it kind of played out
very nicely for them because,as I said, the adoption of
(37:26):
industry clouds is absolutelyhuge.
So I think five zero days,reported in a responsible manner
, is probably worth the hundredsof millions, billions, that
industry clouds is making them.
Speaker 2 (37:38):
Right, Wow, Five zero days.
I mean, have you ever seensomething like that?
Have you ever put anythingtogether?
You know of that scale before.
Speaker 1 (37:47):
I haven't ever completed, I've never really
done a full kind of productanalysis.
Now, again, it's a productbuilt on a product, a product
right.
So this is kind of the first ofits kind.
Um, for for me I'm doing like aholistic security assessment of
the potential risks and alsozero days.
Um, and it was.
(38:07):
It was super fun and, honestly,like it took months to put
together, but it was only meantto take a couple of weeks.
And what happened is I'd findlike maybe at first I found like
five really cool things.
I'd be like maybe at first Ifound like five really cool
things.
I'd be like, okay, I'm done,now I'm gonna put the white
paper together and I'd see likeone little button.
I'm like what does that do?
And I'd click it and all of asudden the security shuts off or
something.
And so I kept finding things andI was like I just need to stop
(38:30):
looking at this product so thatI can actually get around to to
writing the research and gettingthese things over to Salesforce
so they can see if they're zerodays or not.
But I mean, when it comes to,have I seen that amount of zero
days in one thing?
Fortinet has like a zero daydropped against it every five
seconds, so I don't think itcompetes to Fortinet, but yeah,
(38:53):
it was very, very fruitful.
It's great to produce a bit ofresearch that not only benefits
our customers, obviously, but atthe overall, like salesforce
community, by identifying thesepotential foot guns and
configurations and telling themhow to address it, but also
helping at the vendor.
I'm being like hey, here's somezero days as well, so it's kind
of win-win for everyone andit's it's played out really
(39:15):
nicely so.
Speaker 2 (39:17):
So when you're handed this task, right, where do you
start?
Because it just sounds like amonumental task and I'm not even
sure that I would know you knowwhere to start.
Are you just working throughthe basic functionality right of
this product offering and justiterating through it Like okay,
(39:37):
well, what if I do this overhere?
What do I get?
You know that sort of thing.
Speaker 1 (39:42):
Yeah, and this is why it took so many months, because
it's a behemoth of a task,right and how.
I always, always when it comesto SaaS in general.
How I approach theseassessments, you could say, is I
don't think like a securityperson 100% of the time.
Honestly, for the first coupleof weeks, or for the bulk of the
time at the beginning, I thinklike a platform administrator.
(40:06):
I think of okay, how can Ibuild this?
What are the configurations?
How am I able to expose thisand do this?
And I think as if I'm trying toactually do something with the
technology.
And as you kind of put thatinto practice and start building
some things, that's when youbegin to notice things, because
that kind of securitypractitioner in your
subconscious doesn't turn off.
(40:26):
So you'll see something likethat's kind of suspicious.
And because of that approach ofgetting holistic knowledge of
the platform and all of itsfeatures as an admin, you know,
in an admin mindset, you're somuch better equipped from a
security perspective because youknow the interoperability of
these various features.
You know what's kind of workingwith what and you'll see.
You'll start seeing somepatterns as well.
(40:48):
So I really just approach itlike a system admin and get a
great understanding of thesolution or technology
holistically.
I get a good inventory of likerelevant controls, a good
understanding of the use cases,of the various features and
various components you can build.
And then, once I have that kindof holistic knowledge, I start
to interrogate these featureskind of one by one, you know,
(41:09):
from a security mindset, andI'll start to like toggle off
the configuration settings andplay around with that kind of
stuff as well.
So that's generally how I wouldrecommend anyone Like if you're
even internally in anorganization want to pen test
your organization's like servicenow or workday or whatever it
is like, your best resource isgoing to be the administrator of
(41:30):
that platform.
It's going to be the guy or girlwho's literally living on that
platform every day.
Right, like that is who youshould pair with, because that's
where you're getting yourdomain expertise and knowing
where to look, because they knowwhere the data is, they know
how the platform generallyoperates, and then you can apply
your security expertise andstart to actually interrogate
things and I personallyguarantee you will have far much
(41:54):
more success, right, having atleast that pairing with someone
that has that knowledge of theplatform.
You'll get much better resultsand far more findings that way.
Now, fortunately, I have to beboth as a security researcher,
I've got to do both.
I've got no service or admin topair with, so I am the service
or admin and the securityresearcher in my case.
Yeah, that's generally myapproach, my recommendation to
(42:16):
organizations that want to do alittle, either security research
into SaaS platforms or ifthey're conducting their own
internal hand tests.
Speaker 2 (42:24):
Yeah, it's fascinating to hear you talk
about it like that, becauseearly on in my career, when I
was trying to get into security,I kind of approached it from
that angle.
Actually, I was looking at ithow my customer is using this
platform, how I'm using thisplatform, and then in the back
end I'm actually, you know,tailing various logs and I'm
(42:47):
looking through seeing what it'sdoing and I mean that really
helped me build a really strong,just security foundation
overall, really strong, justsecurity foundation overall,
something I haven't thoughtabout in forever, right, because
it was so long ago, but it'sjust.
You know, it's fascinating tobreak down that mindset because
that helps a lot of people startto like think through it, like,
(43:07):
oh okay, that's where I wouldstart with it.
Speaker 1 (43:09):
And you know, I I always tell people, if you can
envision it, it's a whole loteasier to actually actually
accomplish it, you know yeah,yeah, it takes if you're, if
you're someone who is atraditional like pen tester kind
of red teamy individual, likeit does have to be a mindset
shift to get the the best buyingfor your book out of these
assessments.
And even when I joined up omni,you know I was coming from a
(43:30):
very heavy like securityengineering background and so I
had to.
It took honestly probably sixmonths to a year to kind of get
into the swing of how to evenstart looking at these platforms
in a different light, and alight that would serve me far
better when I'm kind of huntingfor things.
Speaker 2 (43:49):
Well, aaron, before I let you go, how about you tell
my audience you know where theycan find you, where they can
find AppOmni and where they canfind that really interesting
research paper?
If they wanted to read it, readthrough it.
Speaker 1 (43:59):
Yeah, absolutely so.
You can find me on LinkedInunder Aaron Costello or Twitter
at Conspiracy Proof all one word.
Actually, you can find AppOmniat appomnicom.
Got a ton of resources there.
Most interestingly to youraudience would be the AO Labs
(44:19):
little section of the AppOmniblog.
That's where you'll find theIndustry Clouds research.
It's where you'll find,historically, all the research
that I've been doing into SaaSsecurity.
So AppOmnicom and check out theAO Labs section and you'll have
all the resources that you needthere.
Speaker 2 (44:35):
Awesome.
Well, all the links will be inthe description of this video.
Thanks again, aaron, and I hopeeveryone watching really
enjoyed this podcast.
All right, thanks everyone.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!