If software-as-a-service (SaaS) security concerns are keeping you up at night, you might not be alone—and for good reason.

SaaS security incidents are on the rise. An August 27 report by AppOmni stated that 31% of organizations said they experienced a SaaS data breach this year, a five-point uptick from last year.

The report, which queried professionals from 644 organizations across six countries, revealed that cybersecurity decision-makers aren’t too optimistic about their immunity to these events. Only 32% of respondents said they were confident in the security of their company’s or customers’ data stored in SaaS applications, down from 43% in 2023. Loss of intellectual property or proprietary data and reputational fallout were among the top concerns.

Rose-colored SaaS-es. The lack of confidence may serve as good foresight, as many organizations underestimate their SaaS ecosystem. While 49% of respondents claimed that they had fewer than 10 apps connected to the Microsoft 365 platform, AppOmni’s aggregated data discovered more than 1,000 Microsoft 365 SaaS-to-SaaS connections per deployment, on average. AppOmni co-founder and CTO Brian Soby told IT Brew that the miscalculation—which he said likely extends beyond just Microsoft 365—is driven by employees’ lack of visibility to all the SaaS applications a business uses, combined with day-to-day guesses that create a “very false impression.”

Read the rest here.—BM

Fancy yourself a trailblazer? Boy, do we have an event for you.

GrowthLoop Live is a must-attend virtual summit dedicated to all the marketing and data head honchos out there leading the change with unified data.

This one is jam-packed with all kinds of gold, from sessions on how to create a culture shift driven by data to keynotes led by big-timers like Scott Brinker, editor of chiefmartech.com and VP Platform Ecosystem at HubSpot.

Plus, GrowthLoop Live is a perfect opportunity to learn from your peers, explore cutting-edge tech, receive practical advice, and get inspired to become the face of change. It’s pretty much the data and marketing Olympics.

Save your spot at zero cost.

Like your grudge-holding friend, orgs are still having trouble patching that thing up from three years ago.

Recent reports, including of an obfuscation attack revealed by cloud-app security firm Datadog, demonstrate that companies still haven’t effectively remediated an old vulnerability in the Java-based logging framework Log4j—one found and patched in 2021.

“There’s always an urgency when new things come out, and then it tends to die out in terms of prioritization of risk in companies. And I think it’s important to continue looking for new techniques against old zero-days,” Bianca Lankford, VP of security engineering at Datadog, told IT Brew.

Log, Dog? Datadog, in an August 20 post, reported threat actors obfuscating malicious LDAP requests. TechTarget describes the lightweight directory access protocol as a “pocket-sized phonebook, but for your network,” used to pull resources like an unknown email address.

According to the Datadog findings, ​​a vulnerable Java application retrieves the Java-class URL and executes it through the Java Naming and Directory Interface (JNDI). The class, or resource pointer, executes commands to download and run a malicious script, leading to data exfiltration and system recon.

Read more here.—BH

A key group in the open-source community is taking a step toward setting the terms of a debate that’s roiled the AI space.

The Open Source Initiative (OSI), the organization widely seen as responsible for arbitrating openness standards, published the latest version of its definition of open-source AI on Thursday. The document comes after months of consulting with various developers, academics, and other concerned parties on a roadshow of workshops around the world.

While there are still more of those tour stops to come, Ayah Bdeir, a senior advisor on AI strategy at Mozilla Foundation who played a role in the process, said she doesn’t expect the definition to change much between now and when the “stable version” of the definition is presented in the fall.

What’s at stake? The question of how open the components of generative AI models should be has split the tech industry.

Keep reading here.—PK

Worried about nation-state attacks? Cybersecurity risks, such as nation-state attacks, are increasing due to limited visibility into the activities on devices in victim environments. Thankfully, ThreatLocker® is offering I.T. security health reports to orgs looking to neutralize shadow I.T., foreign software, and unpatched vulnerabilities. Get your free software report today.