Safeguard.sh Documentation Center

SaaS Security Posture Management (SSPM)

Roadmap — read-only posture, MFA/SSO, external-exposure, and identity checks across business SaaS, with OAuth-app and shadow-SaaS enumeration as the headline capability.

SaaS Security Posture Management (SSPM)

Roadmap — not yet available. SSPM is a planned capability documented here for direction. It builds on the shipped connector framework, identity analysis, and compliance engine, but the SSPM engine itself is not yet available.

SSPM adds the business-SaaS pillar alongside cloud (CSPM/CIEM), data (DSPM), and AI (AI-SPM) posture. It is designed to connect read-only to your SaaS estate and surface misconfigurations, weak authentication, risky third-party app grants, and over-exposed data — with OAuth-app and shadow-SaaS enumeration as the headline capability.

Planned coverage

Each SaaS provider will be a read-only connector on the existing framework. Planned providers include Microsoft 365 / Entra, Google Workspace, and Okta first, then Slack, GitHub org, Salesforce, Zoom, Atlassian, and Snowflake.

Check familyExamples
Config postureExternal sharing defaults, legacy/basic auth allowed, weak session/token policy, audit-log enablement, admin-console hardening
MFA / SSO gapsAdmin without MFA (critical), users without MFA, SSO bypass allowed, legacy-auth MFA bypass
OAuth apps / shadow-SaaSOver-scoped, dormant, unknown-publisher, high-risk-scope-combination, and non-admin-installed-tenant-wide app grants — the headline
Identity riskOver-privileged and dormant admins (via reused CIEM analysis), orphaned/guest/stale accounts, cross-app admin view
External exposureWorld/link-shared files, external Slack Connect, public Salesforce sites, public Zoom recordings, open Confluence spaces, external Snowflake shares

OAuth-app risk scoring (planned)

The headline capability scores every third-party OAuth grant in a connected provider on weighted factors — high-risk scope combinations, over-scoping, unknown publisher, non-admin tenant-wide installs, and dormancy. A dormant, tenant-wide, unknown-publisher app is the canonical high-risk case; high-scoring apps produce a finding with the exact provider admin path to revoke the grant. (Enumerating apps within connected providers is in scope; discovering entirely unconnected SaaS is a later extension.)

Safety model (planned)

SSPM is designed read-only and least-privilege throughout:

  • Read-only scopes only — a connector requesting any write/modify scope is refused at registration; requesting write scope is treated as a defect.
  • Credentials from the secret store — never persisted, never logged, redacted in every log line.
  • OAuth consent is a documented user action — the code never automates a grant.
  • No raw SaaS content stored — evidence is a redacted setting name plus value class and a resource reference, never file or message content.

When it ships

Posture issues will surface as sspm findings in the single findings store, inventory in its own tenant-scoped indexes, and checks will map to SOC 2, ISO 27001, and CIS-for-SaaS through the reused compliance engine. The engine will be gated by the ff.sspm feature flag.

On this page