saas-security
Safeguard articles tagged "saas-security" — guides, analysis, and best practices for software supply chain and application security.
12 articles
Vendor breach exposure: third-party risk lessons from the Klue incident
A single forgotten credential at Klue exposed Salesforce CRM data at 14+ companies, including Snyk and Huntress—here's what it teaches about vendor risk.
The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong
Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.
SOC 2 Type II reporting for AppSec vendors and buyers
A SOC 2 Type II badge isn't enough due diligence for AppSec vendors. Here's what to actually check in the report—scope, exceptions, and subservice carve-outs—before you trust one.
OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target
The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.
Cloud Scanning vs Hybrid Scanning: Deployment Models for ...
SaaS vs self-hosted SCA deployment compared on data residency, air-gap support, and audit scope, with a look at how Safeguard's flexible deployment model differs from cloud-only platforms.
Multi-Tenant SaaS Data Isolation: Patterns and Failure Modes
Every multi-tenant breach story ends the same way: one tenant reading another tenant's data. The isolation patterns that prevent it, the failure modes that cause it, and how to test which side you're on.
What is a SOC 2 report and why it matters for SaaS
SOC 2 explained for SaaS teams: what the report covers, how it differs from tools like Vanta, and why compliance alone won't stop supply chain attacks.
GDPR compliance basics for US and global SaaS companies
A practical GDPR compliance checklist for US and global SaaS teams: fines, deadlines, and why documentation platforms like Vanta don't cover Article 32's technical controls.
Third-party risk management for fintech SaaS vendors
A practical, step-by-step fintech third-party risk management playbook: vendor discovery, tiering, security review, continuous monitoring, and contract controls.
Third-party risk assessment for insurtech SaaS platforms
A practical playbook for running an insurtech third-party risk assessment across vendors, APIs, and integrations before they touch policyholder data.
Asana MCP Cross-Tenant Leak: A SaaS Connector Failure Mode
From May 1 to June 17, 2025, Asana's MCP server exposed records from one customer's workspace to another. The bug was a textbook authorization break wearing an AI label.
Kronos Ransomware Attack: When Payroll Systems Go Dark Before the Holidays
A ransomware attack on Ultimate Kronos Group disrupted payroll and workforce management for millions of workers at hospitals, governments, and major employers right before the holiday season.