Security for B2B SaaS companies: multi-tenant isolation, secure SDLC, and incident response
Multi-tenant platforms concentrate the data of dozens or hundreds of customer companies. A single isolation flaw can leak data across tenants and turn your product into the attack vector against your own customers. Decripte finds these flaws through pentesting, responds to incidents in real time with a 24x7 SOC, and structures multi-tenant security end to end.
Direct answer
To protect a B2B SaaS company, treat isolation between tenants as the product's most critical security control: every database query, API call, storage object, and session token must carry and validate the tenant_id on the server, never trusting an identifier sent by the client. Add to that a secure SDLC with code review focused on authorization (IDOR/BOLA), recurring penetration testing with explicit cross-tenant scenarios, continuous vulnerability management across the dependency chain, hardening of SSO/SCIM and API endpoints, and 24x7 monitoring capable of detecting anomalous cross-tenant access. Decripte covers this full cycle — discovery through pentesting, coordinated incident response with a containment SLA of up to 1 hour, and structuring toward SOC 2 — and offers a free exposure assessment at decripte.com.br/intelligence-center.
24/7
SOC monitoring tenants and APIs
≤1h
Incident containment SLA
SOC 2
Type I and Type II readiness
OWASP
API and BOLA/IDOR pentesting
In summary
- ›Multi-tenant isolation is the most critical control in a B2B SaaS: compromising it means leaking data from many customers at once, which is why providers are high-value targets.
- ›Authorization flaws (IDOR/BOLA) and tenant validation performed on the client instead of the server are the most common causes of cross-tenant leakage.
- ›APIs and SSO/SCIM expand the attack surface: leaked keys, poorly validated tokens, and misconfigured automatic provisioning enable administrator account takeover.
- ›The software supply chain (dependencies, packages, third-party integrations) requires continuous vulnerability management, not just point-in-time checks.
- ›SOC 2 is not just an audit: it is the evidence enterprise customers demand that isolation, monitoring, and incident response exist and actually work.
- ›Decripte combines pentesting with cross-tenant scenarios, a 24x7 SOC, vulnerability management, and compliance structuring in a continuous cycle of discovery, response, and hardening.
Cibersegurança para B2B SaaS
Multi-tenant platforms concentrate the data of dozens or hundreds of customer companies. A single isolation flaw can leak data across tenants and turn your product into the attack vector against your own customers. Decripte finds these flaws through pentesting, responds to incidents in real time with a 24x7 SOC, and structures multi-tenant security end to end.
Why B2B SaaS platforms are high-value targets
A B2B SaaS product is, by definition, a concentration of trust. Every customer company hands the platform its business data, user credentials, integrations with internal systems and, frequently, the personal data of its own end customers. When a single provider hosts dozens, hundreds, or thousands of these organizations in a shared multi-tenant architecture, compromising the provider means gaining access to all of them at once. For an attacker, this completely changes the economics of the attack: instead of breaking into a hundred companies individually, they only need to find one flaw in the SaaS that serves them.
This logic of attacking a single point to reach many is what is called vendor compromise, or a supply chain attack from the customers' point of view. The SaaS stops being merely a product and becomes part of the attack surface of every organization that uses it. That is why the security teams of buying companies treat your SaaS as a risk vendor, demanding formal evidence of controls — security questionnaires, SOC 2 reports, pentest proof, and contractual incident-notification clauses. Security maturity is no longer a marketing differentiator; it has become a prerequisite for selling in the enterprise segment.
The golden rule of multi-tenancy
In a multi-tenant platform, isolation between customers is the single most critical control there is. Every authorization decision must bind the operation to the correct tenant on the server. A single endpoint that trusts the tenant_id sent by the browser is enough to turn a legitimate API into a leakage channel between companies.
There is also an aggravating factor in reputation and contracts. When a SaaS suffers an incident, it does not answer only to the ANPD or its regulators: it must simultaneously notify every affected customer, each with its own legal team, its own duty to inform data subjects and, often, its own sector-specific regulatory obligations. An incident in a B2B SaaS is, in practice, several chained incidents. The response must be fast, technically precise, and coordinated with multiple stakeholders at the same time.
The five threats that most often bring down B2B SaaS
1. Multi-tenant isolation flaws
Isolation can be implemented in several ways — a database per tenant, a schema per tenant, or a row per tenant with a tenant_id column in shared tables. The shared-row model is the most economical and the most dangerous, because isolation is no longer guaranteed by infrastructure and instead depends on each application query correctly including the tenant filter. It only takes one developer forgetting the clause in a report, a batch job, or a new endpoint for one customer's data to appear to another. In architectures with caching, the risk multiplies: a cache key without the tenant in its identifier serves one customer's response to another.
2. Cross-tenant data leakage
Cross-tenant leakage is the materialization of the isolation flaw. It usually appears through IDOR (Insecure Direct Object Reference) or BOLA (Broken Object Level Authorization), the categories that lead the OWASP API Security Top 10. The pattern is always the same: the system identifies the requested object by its ID but does not verify whether that object belongs to the authenticated user's tenant. Changing a number in the URL or request body starts returning another company's data. Because the user is legitimately authenticated, this access often triggers no alert — it looks like normal traffic.
The blind spot in logs
Cross-tenant leaks via IDOR frequently do not show up in conventional security logs because the attacker is authenticated and using the API exactly as it was designed to be used. Without correlating which tenant a user should access versus which one they actually accessed, the SOC is blind. That is why monitoring must be tenant-aware, not just IP- and payload-aware.
3. API and SSO compromise
B2B SaaS is, in essence, API. API keys scoped too broadly, JWT tokens whose signature or tenant claim is not validated on the server, the absence of rate limiting, and exposed administrative endpoints are classic points of entry. In SSO, the risks concentrate on the validation of SAML assertions and OIDC tokens: unverified signatures, key confusion attacks, missing audience checks, and incorrect binding between federated identity and tenant. A mistake in this layer lets an attacker authenticate as a user — or administrator — of another customer.
4. Supply chain and dependencies
Modern SaaS applications are assembled on top of hundreds of third-party libraries, container images, and external integrations. A vulnerable dependency, a malicious package introduced via typosquatting, or a credential leaked in a CI/CD pipeline can compromise the entire build. Because third-party code runs with the application's privileges, it has the same access to every tenant's data. Vulnerability management here is not scanning once a quarter — it is maintaining an inventory (SBOM), monitoring continuously, and having a patching process with an SLA.
5. Administrator account takeover
In a B2B SaaS, a tenant's administrator user has power over all users and data of that company. Taking over that account — via phishing, password reuse, the absence of MFA, or a flaw in the password recovery flow — gives the attacker full control over that customer. Even worse is the compromise of an operator account belonging to the platform itself, which may have cross-tenant visibility for support purposes. These privileged accesses require strong MFA, separation of duties, and an immutable audit trail.
Priority vectors to test before anything else
- ✓API endpoints that receive object IDs: do they validate ownership by tenant on the server?
- ✓Tokens and sessions: does the tenant_id come from the signed token on the server, never from a client parameter?
- ✓SSO/SAML/OIDC flow: are signature, audience, and tenant binding checked?
- ✓SCIM provisioning and invitations: can one tenant create or read another's users?
- ✓Administrative and platform operator accounts: is MFA mandatory and cross-access audited?
- ✓API keys and secrets: minimal scope, rotation, and no exposure in logs and repositories?
Is b2b saas data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Anatomy of an isolation flaw (anonymized real-world example)
Anonymized real-world example, not an actual customer
The case below is a didactic reconstruction of an incident pattern common in B2B SaaS. It does not identify any Decripte customer. It was built to show, step by step, how an isolation flaw is born, discovered, and handled.
Imagine a relationship-management SaaS platform serving hundreds of companies in a shared-row architecture — all tenants in the same database, separated by a tenant_id column. The product team, under deadline pressure, launches a new report-export endpoint. The endpoint receives the report ID and returns the file. The code that builds the query filters by the report ID, but the developer who wrote the export function assumed the previous layer had already validated the tenant — and it had not, for that new path. The result: any authenticated user of any company, by changing the report ID in the request, receives reports belonging to other customers.
The flaw goes unnoticed for weeks. There is no error, no exception, no alert. The logs record authenticated requests and responses with a 200 code. Everything looks normal. Until, during a contracted pentest, a Decripte analyst tests exactly this vector — enumerating object IDs from a legitimate tenant account — and receives back data belonging to another company. From there, the anatomy of the incident unfolds along the timeline in the case study below.
Why a pentest catches what a scanner does not
Automated scanners see known technical vulnerabilities but rarely understand the business logic of a multi-tenant SaaS. Cross-tenant authorization flaws require the tester to understand the tenancy model, create two accounts in different tenants, and prove that one can access the other. It is a manual, context-driven test that only a human-led pentest reliably detects.
What changes in incident response when the target is a SaaS
Responding to an incident in a B2B SaaS is more complex than in a traditional company for three reasons. First, the scale of notification: the provider must identify which tenants were affected and communicate with each of them, respecting distinct contractual and regulatory obligations. Second, business continuity: stopping the platform to contain a leak means stopping every customer's operation at the same time, so containment must be surgical — blocking the vulnerable endpoint, revoking tokens, isolating the vector — without bringing down the entire service when possible. Third, the evidence: enterprise customers and the ANPD will demand a detailed technical report on root cause, scope, and remediation.
Cascading notification
Under the LGPD, the controller must notify the ANPD and the data subjects when an incident may entail relevant risk or harm. In a B2B SaaS, the provider is usually the processor of each customer's data, and the customer is the controller. This means the SaaS must promptly notify its customers (the controllers), who in turn decide on communication to data subjects and the authority. Each hour of delay in detection and communication multiplies the legal risk across the entire chain.
This is why the containment SLA matters so much. The sooner Decripte detects the anomalous access in the SOC, the sooner the vector is blocked, the smaller the exfiltration window, and the smaller the universe of potentially affected tenants. Containing within one hour, rather than discovering weeks later, is the difference between a notifiable, controlled incident and a crisis that spreads across the entire customer base.
Compliance your enterprise customer will demand
In B2B SaaS, compliance is not just a regulatory obligation — it is a sales enabler. SOC 2, an attestation framework based on the AICPA's Trust Services Criteria, has become the de facto standard that enterprise buyers ask for before signing a contract. There are two types: SOC 2 Type I, which evaluates the design of controls at a point in time, and SOC 2 Type II, which evaluates the effective operation of those controls over a period (typically six months to a year). Type II is the one that carries real weight, because it proves that the controls not only exist on paper but function day to day.
What typically needs to be in place for a SaaS
- ✓SOC 2: security policy, access control, change management, monitoring, and incident response documented and operating.
- ✓LGPD: legal basis for processing, processor agreements, records of processing activities, response plan, and a communication channel to the ANPD and to customers.
- ✓ISO 27001: an information security management system (ISMS) when there is international demand or contracts that require certification.
- ✓PCI DSS: mandatory when the platform processes, transmits, or stores payment card data.
- ✓Documented vulnerability management: inventory, continuous scanning, remediation SLA, and evidence of periodic pentesting.
Decripte structures this journey pragmatically: first a gap assessment against the target framework, then the implementation of the missing controls — many of them directly tied to the multi-tenant technical defenses described here — and finally preparation for the audit. The great advantage of handling compliance alongside pentesting, SOC, and vulnerability management is that the controls required by SOC 2 are exactly the ones that protect against real attacks. It is not duplicate work: it is the same work producing, on one side, security, and on the other, auditable evidence.
What would an incident in b2b saas cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Secure SDLC: prevent before you test
Finding isolation flaws in a pentest is essential, but it is cheaper and safer not to introduce them in the first place. That is why Decripte works on the secure development life cycle (SDLC) alongside the customer's engineering team. This means establishing an architectural standard in which the tenant is bound at the lowest level possible — ideally a data access layer that automatically injects the tenant filter into every query, or row-level security policies in the database, so that forgetting the filter is no longer a human possibility.
Defense in depth in tenancy
Ideally, isolation should not depend on the developer remembering to filter. Layers such as row-level security in the database, middleware that validates the token's tenant on every request, and code review with a specific authorization checklist create redundancy: for data to leak, several barriers would have to fail at the same time, not just one line of code.
In the development flow, this translates into code review focused on authorization, automated tests that verify one tenant cannot access another's data as part of the regression suite, static analysis (SAST) and dependency analysis (SCA) integrated into the pipeline, and security gates that prevent the deployment of code with known high-severity vulnerabilities. Security stops being a final step and becomes a continuous property of the delivery process.
How it all connects: discovery, defense, and evidence
The strength of a B2B SaaS security posture lies not in any single control, but in the cycle that connects them. The pentest discovers flaws that become remediation items and, at the same time, test cases that enter the SDLC so they do not return. Vulnerability management keeps the dependency chain and infrastructure under continuous watch, feeding the engineering team what needs to be fixed and at what priority. The 24x7 SOC observes the platform in production, with tenant-aware detection rules, ready to respond. And compliance turns this entire operation into auditable evidence that unlocks enterprise sales.
The cycle, in one sentence
Pentesting discovers, the SDLC prevents recurrence, vulnerability management maintains the watch, the SOC detects and contains in production, and compliance proves all of it to whoever buys your product.
This chain is what separates a company that merely reacts to incidents from one that structures security as a continuous capability. For a B2B SaaS, where each new customer raises the value of the target and each incident multiplies across the base, this cycle is not a luxury: it is the condition for growing securely. Start with a free exposure assessment at decripte.com.br/intelligence-center and, when you want to structure the full cycle, talk to Decripte at decripte.io/start or via /contato.
Anatomy of a cross-tenant leak: from pentest discovery to SOC 2 structuring
Real, de-identified example
Anonymized real-world example (no customer identified). A B2B SaaS management platform, with a shared-row multi-tenant architecture (all customers in the same database, separated by tenant_id), launches a new report-export endpoint under deadline pressure. The endpoint filters by the report ID but does not revalidate the authenticated user's tenant for that new path. Any legitimate user of any company, by changing the ID in the request, begins receiving reports from other customers — without triggering an error or alert. The flaw remains latent for weeks until a contracted pentest.
Discovery (pentest)
During a pentest with an explicit multi-tenant scope, a Decripte analyst creates two accounts in different tenants and tests object ID enumeration from a legitimate account. The export endpoint returns data belonging to the other tenant. The flaw is classified as a critical-severity BOLA/IDOR (cross-tenant leakage) and reported immediately outside the normal reporting flow, because it is actively exploitable in production.
Detection and scope validation
Decripte's SOC, engaged in tandem, activates tenant-aware detection rules and retroactively reviews the access logs for the endpoint. The goal is to answer the critical question: besides the tester, did anyone else exploit the flaw? Which tenant each user should have accessed is cross-referenced against which they actually accessed, to map anomalous access and estimate the real universe of exposure.
Containment
Within one hour of engagement, the vector is surgically contained: the vulnerable endpoint is blocked via feature flag, suspicious session tokens are revoked, and blocking rules are applied at the edge, without bringing down the entire platform for the other customers. The exfiltration window is closed while the definitive fix is prepared.
Eradication
Engineering, guided by Decripte, fixes the root cause: tenant ownership validation is moved to the data access layer and reinforced with row-level security in the database, so the filter no longer depends on each developer. A cross-tenant regression test case is added to the automated suite to prevent recurrence. Keys and secrets exposed along the way are rotated as a precaution.
Recovery and notification
Once the scope of affected tenants is confirmed, the cascading notification package is assembled: technical communication to each affected customer (controller), with a timeline, the data involved, and the remediation, so each can fulfill its obligations under the LGPD toward data subjects and the ANPD. The platform resumes full operation with the corrected endpoint and reinforced monitoring on the vector.
Lessons and structuring
The post-incident phase becomes a program: Decripte conducts a review of all endpoints that receive object IDs, deploys static and dependency analysis in the pipeline, establishes an authorization checklist in code review, and structures the SOC 2 journey — turning the controls created during the response into auditable evidence that the enterprise base begins to demand.
Outcome with Decripte
Because the flaw was discovered in a pentest before being exploited at scale, and because containment occurred within a one-hour window of detection, the incident remained controlled and notifiable, rather than becoming a crisis spread across the entire customer base. More importantly, the cycle of discovery, response, and structuring left the platform with isolation reinforced by defense in depth, a secure SDLC with cross-tenant regression tests, a tenant-aware 24x7 SOC, and a SOC 2 compliance track under way. Security stopped being an event and became a continuous capability.
Don’t wait for the incident. Start hardening b2b saas today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to a B2B SaaS incident
Incident response in multi-tenant environments demands speed in containment and precision in scope, because every hour lost widens the number of potentially affected customers and the complexity of notification. Decripte's method follows coordinated steps, with a containment SLA of up to one hour.
- Engagement and triage: immediate activation of the response team, severity classification, and preliminary identification of the vector (isolation flaw, API/SSO compromise, account takeover, or supply chain).
- Tenant-aware detection: the SOC activates and reviews rules that correlate which tenant each user should access versus what they actually accessed, to distinguish legitimate traffic from cross-tenant exploitation and estimate the real scope.
- Surgical containment within 1h: blocking the vulnerable endpoint or vector, revoking compromised tokens and sessions, and applying edge rules, preserving platform continuity for unaffected customers whenever possible.
- Evidence preservation and root cause analysis: forensic collection of logs and artifacts, reconstruction of the timeline, and precise identification of the flaw that caused the incident, ensuring chain of custody for the report.
- Eradication and definitive fix: removal of the vector at its root cause (not just the symptom), reinforcement of isolation, rotation of exposed secrets, and the addition of regression tests to prevent recurrence.
- Mapping affected tenants and cascading notification: precise definition of which customers were impacted and support in the technical communication to each controller, enabling compliance with LGPD obligations toward data subjects and the ANPD.
- Monitored recovery: return to full operation with reinforced watch over the handled vector and validation that the fix is effective in production.
- Post-incident and hardening: an executive and technical root cause report, structural recommendations, and the conversion of lessons into permanent controls in SDLC, vulnerability management, and compliance.
How Decripte structures the security of a B2B SaaS platform
Beyond responding to incidents, Decripte structures multi-tenant security as a continuous capability, organized into mutually reinforcing pillars — from prevention in the code to auditable evidence for enterprise customers.
Multi-tenant isolation through defense in depth
Bind the tenant at the lowest level possible: a data access layer that injects the filter automatically, row-level security in the database, and middleware that validates the token's tenant on every request. Isolation no longer depends on the developer remembering to filter, and several barriers would have to fail at the same time for a leak to occur.
Secure SDLC and recurrence prevention
Code review with an authorization checklist (IDOR/BOLA), automated cross-tenant regression tests in the suite, static analysis (SAST) and dependency analysis (SCA) in the pipeline, and gates that block the deployment of known critical vulnerabilities. Every flaw found in a pentest becomes a permanent test case.
Recurring pentesting with cross-tenant scenarios
Human-led penetration testing, with an explicit multi-tenant scope, object enumeration from legitimate accounts, and validation of SSO/SAML/OIDC and SCIM. It catches exactly the authorization-logic flaws that automated scanners do not detect.
Continuous vulnerability and supply chain management
Dependency inventory (SBOM), continuous scanning, software supply chain monitoring, prioritization by real risk, and a remediation SLA — instead of isolated point-in-time scans.
Tenant-aware 24x7 SOC
Uninterrupted monitoring with detection rules that correlate expected versus actual access per tenant, API hardening (rate limiting, key scoping, token validation), and readiness to contain incidents within one hour.
Compliance as sales evidence
Structuring of SOC 2 (Type I and Type II), LGPD, ISO 27001, and PCI DSS where applicable, turning the technical controls already implemented into auditable evidence that unlocks enterprise contracts.
Recommended plans for B2B SaaS
Pentesting
Isolation flaws and cross-tenant leakage (IDOR/BOLA) are authorization-logic issues and require manual testing with an explicit multi-tenant scope — creating accounts in different tenants and proving that one can access the other. It is the service that discovers what scanners cannot see, including validation of SSO/SAML/OIDC and SCIM.
See plan →24x7 SOC
Cross-tenant leaks via authenticated users do not trigger conventional alerts. A SOC with tenant-aware detection correlates expected versus actual access and enables containment within one hour, reducing the exfiltration window and the universe of affected customers.
See plan →Vulnerability Management
The dependency chain and infrastructure of a SaaS change continuously. Inventory (SBOM), continuous scanning, supply chain monitoring, and a remediation SLA keep the surface under control, instead of point-in-time snapshots that age in days.
See plan →Compliance
SOC 2 Type II, LGPD, and ISO 27001 are prerequisites for selling in the enterprise. Decripte turns multi-tenant technical controls into auditable evidence, aligning real security and contractual requirements in the same effort.
See plan →Frequently asked questions
What is the practical difference between isolation by database, by schema, and by row (tenant_id)?
With database-level isolation, each customer has its own database — maximum isolation, higher operational cost. With schema-level, customers share the database but have separate schemas — a middle ground. With row-level (shared rows with a tenant_id column), all data sits in the same tables, differentiated by a column — more economical and scalable, yet the riskiest, because isolation now depends on every application query correctly including the tenant filter. Decripte recommends reinforcing the row model with row-level security in the database and a data access layer that injects the filter automatically.
How do I know if my platform has a cross-tenant leakage flaw right now?
The decisive test is manual: create two accounts in different tenants and try, from account A, to access objects from account B by swapping IDs in URLs and API payloads. If any endpoint returns the other tenant's data, there is a leak. Automated scanners rarely detect this because it is an authorization-logic flaw, not a cataloged technical vulnerability. A pentest with an explicit multi-tenant scope is the reliable way to find out. You can start with a free exposure assessment at decripte.com.br/intelligence-center.
Why do enterprise customers ask for SOC 2, and is it really necessary?
Because, when buying a SaaS, the company is outsourcing the processing of sensitive data and needs independent assurance that operating security controls exist. SOC 2 Type II attests, based on the AICPA's Trust Services Criteria and through an audit, that the controls work over a period of time. Without it, many enterprise contracts simply do not move forward. The good news is that the controls required by SOC 2 are, in large part, the same defenses that protect against real attacks — so it is the same effort producing both security and evidence.
What is IDOR/BOLA, and why is it so common in SaaS?
IDOR (Insecure Direct Object Reference) and BOLA (Broken Object Level Authorization) describe the same class of flaw: the system locates an object by its identifier but does not verify whether the authenticated user has the right to access it. In multi-tenant SaaS, this becomes cross-tenant leakage. It is common because authentication (knowing who the user is) tends to be well implemented, while per-object authorization (verifying that the object belongs to the user's tenant) is frequently forgotten in new endpoints. It leads the OWASP API Security Top 10 for this reason.
How do you contain an incident without bringing down the platform for all customers?
Containment is surgical. Instead of stopping the entire service, we isolate the specific vector: blocking the vulnerable endpoint via feature flag, revoking compromised tokens and sessions, and applying targeted edge rules. This closes the exfiltration window while keeping operations running for unaffected customers, whenever the architecture allows. The goal is to contain within one hour of engagement, minimizing both the damage and the availability impact.
In a leak, who must notify whom under the LGPD?
In B2B SaaS, the provider is usually the processor of the data, and each customer company is the controller. When there is an incident that may create relevant risk or harm, the provider (processor) must promptly notify its customers (controllers), who then decide on communication to data subjects and the ANPD, in accordance with the LGPD. That is why the speed of detection and scope mapping is critical: it determines how quickly the entire notification chain can meet its obligations.
How do you protect SSO and SCIM provisioning against account takeover?
In SSO, it is essential to validate on the server the signature of SAML assertions and OIDC tokens, check the audience, prevent key confusion attacks, and ensure the correct binding between the federated identity and the right tenant. In SCIM, automatic provisioning must prevent one tenant from creating, reading, or modifying another's users. Add strong, mandatory MFA for administrative and platform operator accounts, separation of duties, and an immutable audit trail. These flows are explicitly within the scope of Decripte's pentest.
How often should a SaaS conduct pentesting and vulnerability management?
Pentesting should be recurring — typically at least annually and with every significant change in architecture or exposure surface (new endpoints, a new SSO integration, a change in the tenancy model). Vulnerability management, on the other hand, is continuous: dependency inventory, permanent scanning, and a remediation SLA, because the supply chain changes every day. Handling the two together ensures that what the pentest discovers becomes a permanent test case and that the window between a vulnerability arising and being fixed is as small as possible.
Sector terms
- Multi-tenancy
- An architecture in which a single software instance serves multiple customer companies (tenants), with their data logically separated. Isolation between tenants is the most critical security control of this model.
- IDOR / BOLA
- Insecure Direct Object Reference / Broken Object Level Authorization. A flaw in which the system locates an object by its ID but does not verify whether the authenticated user has the right to access it. In multi-tenant SaaS, it is the typical cause of cross-tenant leakage and leads the OWASP API Security Top 10.
- Cross-tenant leakage
- Exposure of one customer's (tenant's) data to another within the same platform, usually resulting from an isolation or authorization flaw. It is the materialization of the central risk of a multi-tenant SaaS.
- SOC 2
- A control attestation framework based on the AICPA's Trust Services Criteria. Type I evaluates the design of controls at a point in time; Type II evaluates their effective operation over a period. The de facto standard demanded by enterprise SaaS buyers.
- Row-Level Security (RLS)
- A database mechanism that restricts, at the level of each row, which records a session can access. In multi-tenancy, it is used to enforce the tenant filter in the infrastructure itself, reducing dependence on the application remembering to apply it.
- SBOM
- Software Bill of Materials. An inventory of all third-party components and dependencies that make up an application. It is the foundation of supply chain vulnerability management, making it possible to quickly know which systems are affected when a vulnerability arises in a package.
Decripte protects and responds to incidents in b2b saas.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
