Hand using smartphone showing SaaS models and third-party security

JPMorgan Chase CISO Warns Security of SaaS Models is Unsustainable, Third-Party Security Must Improve to Prevent Catastrophe

An open letter from JPMorgan Chase CISO Pat Opet, timed to coincide with the start of RSA Conference 2025, calls on software-as-a-service (SaaS) vendors to make immediate and stark improvements to their secure-by-design and authorization models or be party to the eventual crashing of global financial markets. The letter castigates the state of third-party security in the software field and warns that the present SaaS model of rushing releases and hyper-focus on feature addition is a catastrophe waiting to happen.

The letter directly challenges a general complacency in the industry, which has come to believe that rapidly developing AI tools will provide a “quick fix” for security issues and challenges of this type. Opet warns that this easy answer cannot be relied on and that just one critical third-party security failure with the right large cloud provider has the potential to devastate global financial systems.

JPMorgan CISO warns third-party security needs immediate and serious improvement

The open letter leads with three key points about current SaaS models: rushing features has taken a backseat to proper security development, security architecture must be modernized to optimize SaaS integration and minimize risk, and security practitioners must collaborate to prevent the abuse of interconnected systems.

Opet notes that the SaaS model is usually the default option for whatever software a company might need, and often is the only option available. Additionally, a relatively small set of providers cater to this market. That means a global concentration of risk such that numerous third-party security breaches could cascade to not only cause a major incident for the organization, but global chaos as many downstream clients are impacted.

There are many examples of this phenomenon that have taken place in recent years: a few of the biggest being SolarWinds, MoveIT, and even China’s state-sponsored hacking teams penetrating all three of the major mobile carriers in the US and gaining broad access to customer messages. The big incidents have been mitigated in their damage thus far mostly by the voluntary actions of the hackers, either spies mostly interested in government targets or (in the case of MoveIT) criminals being selective about victims so as to prolong the shelf life of the attack and maximize its value. In all of these cases, an indiscriminate deployment of ransomware to downstream clients could have caused much more chaos.

Opet believes that third-party security has suffered due to an all-consuming focus on feature addition and being the first to market, creating consistent vulnerabilities in SaaS models for attackers to exploit. This is multiplied by the increasing reach of SaaS products into client networks, for example having their APIs integrated directly into core backend systems and having identity and permissions verified by external services such as OAuth. This risk can extend to “fourth-party” players who work for the third-party vendor but share their privileged level of access to these systems.

This has led to the most advanced hackers in the world, such as China and Russia’s APT teams, focusing more of their time and resources on breaching these common points of failure that touch so many different organizations. Opet concludes by calling on businesses to reject SaaS models that do not offer adequate assurances of security and transparency.

Facing widespread problems, SaaS model developers increasingly look to AI “magic bullets”

OAuth appeared to be a central focus of the third-party security criticism. The widely-used authorization company has been in the news as of late for a string of breaches and exposures, some actively exploited by threat actors. In late April of this year, a report from cybersecurity firm Volexity documented how Russian state-backed hackers have found consistent success in breaching Ukraine-affiliated organizations by phishing staff with fake Microsoft login pages that are able to generate real Microsoft-generated authorization codes. Earlier in the year, researchers with other organizations uncovered theoretical OAuth attacks that involve purchasing old domain names that previously made use of the “Sign In With Google” feature, and the API of a major travel company that could pave the way to a full customer account takeover.

Opet’s missive is making waves in circles that have generally been counting on near-term AI developments to solve all the security woes related to SaaS models. “Agentic AI” is the particular hot item being touted as the solution to endemic cybersecurity staffing shortages, essentially acting as a human replacement for more complex defense tasks. However, these technologies are not yet fully fleshed out. In the meantime, Opet’s advice to reject SaaS models that cannot guarantee security may be impractical in quite a number of situations.

Mark Townsend, Co-founder & CTO of AcceleTrex, notes that one thing that SaaS models could do in the near term to inspire more confidence is to invest in more regular third-party security testing: “When buying SaaS, you’re buying a system deployed by a vendor that you are trusting your data to. Many will provide an annual pen test report and demonstrate alignment with SOC2 and other standards, but as the author points out, a lot happens within these apps, and the infrastructure that enables them, over the course of a year. The security of these systems is fairly opaque and requires a bit more transparency between the vendor and the consumer as to how the data is secured. You can’t be too prescriptive without giving the vendors an easy out. It inspires constructive conversations that I think are necessary and important to have. It points to a frustration among consumers that vendors are simply not doing enough and many are prioritizing speed above security. The rush to stay ahead of the competition has led to several issues over the years. A balance needs to be made and demonstrated to the market. I think his comments are balanced and hopefully inspire some positive change amongst SaaS suppliers and consumers. Change will not happen until more consumers demand it. This letter is a start, but others need to sign on to it and start making those demands of their providers to create meaningful change.”