Survey Surfaces Challenges Securing SaaS Applications (2025)

Home » Cybersecurity » Survey Surfaces Challenges Securing SaaS Applications

A survey of 420 responses from IT and security professionals finds 86% now view securing software-as-a-service (SaaS) applications as a top priority, with more than three-quarters (76%) having increased budget allocations.

Conducted by the Cloud Security Alliance (CSA) on behalf of Valence Security, a provider of a security posture management platform (SSPM) for SaaS applications, the survey also finds, however, that while 79% of respondents expressed confidence in their programs, more than half (55%) acknowledged employees are adopting SaaS tools without security’s involvement. An equal percentage (57%) also admit they are grappling with fragmented SaaS security administration.

Hillary Baron, senior technical director for research at the CSA, said the root cause of that fragmentation is a lack of visibility into how SaaS applications have been configured. In many instances, SaaS applications are provisioned by administrators who don’t have a lot of cybersecurity expertise, she noted. Breaches of SaaS applications are frequently linked to weak or exploited MFA protections (46%) or over-privileged access (41%), the survey finds. The survey finds human resources and marketing applications are managed outside of IT within more than half of organizations (51%).

Not surprisingly, 42% of respondents are also struggling to track and monitor sensitive data across their SaaS applications. A similar percentage (41%) identify collaboration challenges as the largest barrier to remediating SaaS risks, with 35% reporting difficulties working with business units on SaaS security.

Valence Security CEO Yoni Shohet noted that because SaaS application security is a shared responsibility between the provider and the organization consuming that service, there is clearly a lot of opportunity for mistakes to be made.

For example, the survey identifies oversharing of data with external users (63%), inability to limit privileges and poor access controls (56%) as major cybersecurity challenges.

More than half (54%) said they also lack any ability to automate lifecycle management across SaaS application environments. Instead, cybersecurity teams are relying on vendor-native tools (69%), general-purpose tools such as cloud access security brokers (CASBs) (43%), and manual audits (46%), the survey finds.

The challenges are only going to become more difficult in the age of agentic artificial intelligence, noted Sholet. Each AI agent deployed to automate a task is going to be granted a set of privileges that will need to be dynamically provisioned. The issue that creates is that the credentials provided to those AI agents can be stolen, much like any other, so the overall size of the attack surface that cybersecurity teams will need to protect is about to exponentially increase, said Sholet.

Nearly half of respondents (46%) noted they are already struggling to monitor non-human identities (NHIs), the survey finds.

Additionally, more than half (56% are also concerned about over-privileged access via application programming interfaces (APIs), many of which will soon be invoked by AI agents.

On the plus side, more survey respondents are reporting they are specifically investing in, and half of organizations (50%), are prioritizing SaaS threat detection (47%), SaaS SSPM (47%) and SaaS application discovery (31%).

The challenge, as always, is not only acquiring the right tools but also gaining the skills and expertise needed to successfully employ them.