> nmap salesforce.com && echo 'access denied — wrong question'_
A financial services firm runs its CRM on Salesforce, its email and collaboration on Microsoft 365, its HR management on Workday, and its customer support on Zendesk. The CISO commissions an annual penetration test. The scope document lists the firm's IP ranges, its custom-built web applications, and its internal network — the same scope as every previous year.
The pen test comes back clean. The custom applications are well-written. The internal network has been progressively hardened. But the test never examined whether the Salesforce instance exposes customer data through misconfigured sharing rules. It never checked whether Microsoft 365 allows external forwarding of email to personal accounts. It never tested whether the Zendesk API exposes tickets from other tenants through predictable identifiers. And it never verified whether the Workday integration service account has permissions to export the entire employee database.
The firm's most sensitive data — customer records, employee PII, financial communications, support interactions — lives in platforms that were never tested. Not because the CISO doesn't care, but because the traditional pen test model doesn't know how to assess platforms you can't scan, can't exploit at the infrastructure level, and don't control.
In a traditional pen test, the tester exploits vulnerabilities in software and infrastructure. In a SaaS context, the software and infrastructure belong to the provider — and attacking them is both prohibited and pointless. What the tester assesses is how the organisation has configured the platform: the permissions, the integrations, the sharing rules, the authentication settings, and the data access controls that determine whether the platform is secure for your specific use case.
The shared responsibility model is well-established for IaaS (AWS, Azure, GCP) — the provider secures the infrastructure, the customer secures what they build on it. SaaS adds another layer: the provider also builds and secures the application. The customer's responsibility shrinks, but it doesn't disappear — and the residual responsibility is where almost all SaaS breaches originate.
| Layer | IaaS (e.g. AWS EC2) | SaaS (e.g. Salesforce, M365) |
|---|---|---|
| Physical infrastructure | Provider | Provider |
| Network controls | Shared — provider supplies VPCs, customer configures security groups | Provider |
| Operating system | Customer | Provider |
| Application code | Customer | Provider |
| Identity and access management | Shared — provider supplies IAM service, customer defines policies | Shared — provider supplies authentication and role framework, customer defines who has access to what and how authentication is enforced |
| Data | Customer | Shared — provider stores and encrypts, customer controls access, sharing, retention, and classification |
| Configuration | Customer (OS, services, firewall rules) | Customer — sharing rules, permission sets, integration scopes, API access, external collaboration settings, conditional access, audit logging |
| Compliance | Shared — provider offers compliant infrastructure, customer must use it correctly | Customer — the provider may be SOC 2 certified, but that doesn't make your configuration of the platform compliant |
The customer's responsibility in a SaaS model is smaller in scope but no less critical. It's concentrated in the areas that determine who can access what: identity, permissions, sharing, integrations, and configuration. These are precisely the areas that a SaaS security assessment must target.
A SaaS security assessment doesn't scan ports or exploit buffer overflows. It systematically examines every configuration decision the organisation has made — or failed to make — within the platform. The attack surface is entirely configuration and integration driven.
| Assessment Area | What We Examine | What We Typically Find |
|---|---|---|
| Authentication and SSO | Is SSO enforced for all users, or can local accounts bypass it? Is MFA mandatory? Can legacy authentication protocols (basic auth, app passwords) circumvent conditional access? Are session timeouts appropriate? Is the SSO configuration itself secure (SAML, OIDC)? | Local admin accounts that bypass SSO and MFA. App passwords for legacy mail clients that provide unfettered access. SSO configured but not enforced — users can still log in with platform-native credentials. |
| Permission models | What roles exist? Who has admin access? Are permissions assigned directly or through groups? Do any users have permissions exceeding their job function? Are there dormant accounts with active elevated permissions? | 15 users with full admin when 3 are justified. Departed employees with active accounts. "Break glass" accounts with no MFA and passwords that haven't changed in years. |
| Data sharing and exposure | Are sharing rules configured to prevent cross-departmental or cross-tenant data leakage? Can external users access internal resources? Are "shared with anyone with the link" files exposing sensitive data? Do API responses leak data from other tenants? | Salesforce sharing rules granting all users visibility of all accounts. SharePoint sites shared with "Everyone except external users" (which includes every employee). Google Workspace files shared externally with no expiry. |
| API and integration security | What third-party integrations exist? What OAuth scopes have been granted? Are API keys rotated? Do integrations have minimum-necessary permissions? Can a compromised integration access data it shouldn't? | Third-party apps with "read all mail" scope granted years ago by a departed user. Integration service accounts with full admin API access. API tokens with no expiry stored in shared documentation. |
| Audit logging and monitoring | Is audit logging enabled? Is it comprehensive (covering admin actions, data access, login events, sharing changes)? Is it retained for a useful duration? Is anyone actually reviewing it? | Audit logging at default settings (not capturing data access events). Retention set to 90 days (insufficient for incident response). No SIEM integration — logs exist but nobody monitors them. |
| Mail and collaboration security | Can users auto-forward email to external addresses? Are external sharing policies appropriate? Can guest users access Teams channels, SharePoint sites, or shared drives? Are DLP policies configured and enforced? | No restriction on external mail forwarding — any compromised account can silently forward all email to an attacker. Guest access to Teams channels containing confidential project data. No DLP rules preventing sensitive data from leaving the platform. |
In a multi-tenant SaaS platform, your data sits alongside every other customer's data — separated by logical controls, not physical infrastructure. Tenant isolation is the set of mechanisms that prevent Customer A from accessing Customer B's data. It's the most critical security property of any SaaS platform, and it's the one that, when it fails, produces the most catastrophic outcomes.
Tenant isolation failures are rare in mature platforms like Microsoft 365 and Salesforce — these providers invest enormously in multi-tenant security. But they do occur, particularly in smaller SaaS providers, rapidly-growing platforms, and custom-built multi-tenant applications.
For organisations using SaaS, tenant isolation is the provider's responsibility. For organisations building SaaS, it's theirs — and it should be the highest-priority target of every security assessment. A tenant isolation failure isn't one customer's data breach; it's every customer's data breach simultaneously.
Microsoft 365 is the most widely deployed SaaS platform in the enterprise. It's also the one where we most frequently find configuration-level weaknesses — not because Microsoft's security is poor, but because the platform's flexibility creates a configuration surface that most organisations haven't fully secured.
Eighteen findings. Every one a configuration decision — not a software vulnerability. Every one within the organisation's responsibility column. Every one invisible to a traditional penetration test that scans IP ranges and probes exposed services. And finding F-011 — unrestricted external mail forwarding — is the single most commonly exploited post-compromise technique in business email compromise attacks.
Traditional penetration testing is adversarial: the tester attacks the system, looking for vulnerabilities that allow them to break in, escalate privileges, and access data. SaaS assessment is analytical: the tester examines the configuration, looking for decisions that create unintended access, excessive sharing, or absent controls.
| Traditional Pen Test Mindset | SaaS Assessment Mindset | |
|---|---|---|
| Objective | Exploit a vulnerability to gain unauthorised access | Identify configurations that grant access or exposure beyond what the organisation intends |
| Approach | Scan, discover, exploit, escalate, demonstrate impact | Map the configuration surface, compare against security baselines and business intent, identify gaps and excessive permissions, demonstrate the consequence of each gap |
| Tools | Nmap, Burp Suite, Metasploit, hashcat — offensive tooling designed to discover and exploit vulnerabilities | Platform-native admin consoles, PowerShell/Graph API queries, ScubaGear (M365), Salesforce Health Check, custom configuration extraction scripts — audit tooling designed to read and analyse settings |
| Access required | None (black box) through to full credentials and source code (white box) | Read-only administrative access to the platform's configuration. Without this, the assessment can only examine what's visible from a standard user perspective — which misses the most critical configuration weaknesses. |
| Findings | "This parameter is injectable and we extracted 10 rows from the customer table" | "External sharing is enabled on the HR SharePoint site. Any user can generate a link to any document that requires no authentication to access. 847 such links currently exist." |
| Remediation | Patch, fix code, implement input validation | Change a configuration setting, restrict a permission, revoke an OAuth grant, enable a policy. Often achievable in minutes — once someone knows it needs doing. |
This doesn't mean SaaS assessment is easier than traditional pen testing — it requires a different expertise. Understanding Salesforce's sharing model, Microsoft 365's conditional access policy engine, or the nuances of OAuth scope inheritance requires deep, platform-specific knowledge that general-purpose pen testers often don't possess.
When organisations ask whether their SaaS platforms have been penetration tested, the answer is usually: "Yes — the provider has a SOC 2 Type II report, which includes evidence of regular pen testing." This is accurate — and almost entirely irrelevant to the organisation's actual risk.
| Provider's SOC 2 / Pen Test | Your Configuration Assessment | |
|---|---|---|
| What's tested | The provider's infrastructure, application code, and internal controls. Does the platform have vulnerabilities? Is the multi-tenant isolation sound? Are the provider's own access controls appropriate? | Your configuration of the platform. Are your sharing rules appropriate? Are your permissions excessive? Is your authentication posture secure? Are your integrations over-scoped? |
| What it proves | The platform itself is reasonably secure against attack. The provider follows security best practices. | Your use of the platform is secure. Your data is protected by the controls you've configured. Your users have appropriate access. |
| Who benefits | All customers of the platform — the provider's security posture protects the shared infrastructure and application | Only your organisation — your configuration is unique to your tenant and affects only your data |
| What it doesn't cover | Whether you've enabled MFA. Whether your sharing rules are appropriate. Whether your integrations are over-scoped. Whether your users have excessive permissions. | Whether the platform code has vulnerabilities. Whether the multi-tenant isolation is sound. Whether the provider's employees have appropriate access to customer data. |
A SOC 2 report tells you the building is structurally sound. It doesn't tell you whether you've left the windows open. Both matter — but only one is within your control to fix, and only one is within your responsibility to assess.
For organisations that build SaaS platforms — rather than just use them — the security assessment model is fundamentally different. You own the application code, the infrastructure, and the multi-tenant architecture. Every layer of the shared responsibility model is your responsibility, and the testing must cover all of them.
| Test Area | What Must Be Assessed | The Consequence of Failure |
|---|---|---|
| Tenant isolation | Every API endpoint, every database query, every file access path must be tested for cross-tenant data leakage. Test with accounts from Tenant A attempting to access Tenant B's resources through every available mechanism. | A single tenant isolation failure is a breach affecting every customer simultaneously. It's an existential risk to the platform — customers will leave, contracts will be cancelled, and regulatory action is likely. |
| Multi-tenant access control | Permission models must enforce tenant-level isolation at every layer: application, API, database, file storage, search, caching, background jobs, webhooks, and reporting. | An admin in Tenant A should never be able to perform actions that affect Tenant B — even if both are using the same shared infrastructure. Privilege escalation within a tenant is a finding. Privilege escalation across tenants is a catastrophe. |
| Data partitioning | Verify that shared databases correctly filter by tenant ID in every query. Test caching layers for cross-tenant contamination. Test background jobs for tenant context leakage. Test exports and reports for unfiltered data. | A single missing WHERE clause in a reporting query exposes every customer's data through the reporting interface. A cache that doesn't key by tenant returns Tenant A's data to Tenant B. |
| Onboarding and offboarding | When a new tenant is created, are all isolation boundaries correctly established? When a tenant is deleted or suspended, is their data completely inaccessible — from the API, the database, the search index, the cache, and the file storage? | A suspended tenant whose data remains accessible through the API. A deleted tenant whose files remain in the storage service. A new tenant whose default configuration is insecure by default. |
SaaS security is not infrastructure security. You can't exploit Salesforce. You can't port-scan Microsoft 365. The provider secures the platform; you secure your configuration of it. And configuration — permissions, sharing rules, authentication settings, integration scopes, audit logging — is where SaaS breaches originate.
A traditional pen test that scans IP ranges and probes services will never discover that your SharePoint site shares HR documents with "anyone with the link," that your Salesforce sharing rules expose all customer records to all users, or that a departed employee's OAuth grant gives a third-party app full read-write access to every mailbox in your organisation.
The shift from infrastructure exploitation to configuration analysis isn't a weakening of the assessment — it's a refocusing on where the risk actually lives. Your most sensitive data is in SaaS platforms. The security of that data depends entirely on how those platforms are configured. And the only way to know whether the configuration is correct is to test it — with platform-specific expertise, against your specific business context, with the same rigour you'd apply to any other critical asset.
Our SaaS security assessments cover Microsoft 365, Google Workspace, Salesforce, and custom-built SaaS platforms — examining authentication, permissions, sharing, integrations, and tenant isolation with platform-specific expertise.