Security architecture needs to be modernised to “optimise SaaS integration and minimise risk.”
Software providers must prioritise security over rushed features and comprehensive security should be built in or enabled by default.
In an open letter to third-party suppliers, JP Morgan CISO Patrick Opet said that fierce competition among software providers has driven prioritisation of rapid feature development over robust security. “This often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses,” he said.
Opet claimed that there is a pursuit of market share - at the expense of security - which exposes entire customer ecosystems to significant risk, and will result in an unsustainable situation for the economic system.
Worse not Better
Claiming that the problem “is getting worse not better”, Opet also said that specific vulnerabilities are intrinsic to this new landscape:
Inadequately secured authentication tokens vulnerable to theft and reuse
Software providers gaining privileged access to customer systems without explicit consent or transparency
Opaque fourth-party vendor dependencies silently expanding this same risk upstream.
Opet said this weakness is known to attackers, who are now actively targeting trusted integration partners.
SaaS Failures
Specifically looking at SaaS, Opet said that security architecture needs to be modernised to “optimise SaaS integration and minimise risk.” Saying that SaaS has become the default, and is often the only, format in which software is now delivered, leaving organisations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure.
“While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences,” he said.
“Historically, software was distributed across diverse environments, each with unique security practices, inherently limiting the scale of any single breach. Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers. This fundamental shift demands our collective immediate attention.”
Current Integration Models
He concluded by calling on other practitioners to reject the current integration models without better solutions. “I hope you’ll join me in recognising this challenge and responding decisively, collaboratively, and immediately.”
He said: “We stand at a critical juncture. Providers must urgently reprioritise security, placing it equal to or above launching new products. ‘Secure and resilient by design’ must go beyond slogans - it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.
“Customers should be afforded the benefit of secure by default configurations, transparency to risks, and management of the controls they need to operate safely within a SaaS delivery model. The ecosystem must address trustworthy integration.”
This is part of establishing new security principles, and implementing robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities.
“We need sophisticated authorisation methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems.”
Commenting, Donato Capitella, principal security consultant at Reversec, thanked Opet for the open letter addressing the evolving landscape of technology and the critical role of suppliers in this journey. “We appreciate the great practical and proactive approach being taken to ensure a robust and resilient supply chain,” he said.
“Opet's letter identifies how modern SaaS integration patterns erode security boundaries. We see this challenge magnified in the GenAI space, where organisations rush to integrate language models into their applications without proper security architecture. The software supply chain risks described manifest clearly in how companies implement language model capabilities - prioritising features over security fundamentals.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
