Software-as-a-Service (SaaS) concentrates business-critical data and identity workflows into always-on, internet-exposed systems, making it a prime target for credential theft, API abuse, supply-chain compromise, and cloud-control-plane attacks. This paper develops a secure-by-design framework for SaaS that integrates (i) governance and risk outcomes from NIST CSF 2.0, (ii) security and privacy controls from NIST SP 800-53 Rev. 5 and ISO/IEC 27001, and (iii) secure software engineering practices from NIST SP 800-218 (SSDF), combined with application-layer standards such as OWASP ASVS and OWASP API Security Top 10 (2023). OWASP Foundation+5NIST Computer Security Resource Center+5NIST Computer Security Resource Center+5 Results include a reference architecture for secure SaaS delivery (Figure 1) and a metrics-based control matrix (Table 1) linking threat categories to measurable security outcomes, aligned with SOC 2 Trust Services Criteria and cloud assurance mapping via CSA CCM. AICPA & CIMA+2Cloud Security Alliance+2 The paper concludes that resilient SaaS security requires unifying secure development, identity-centric architecture, supply-chain integrity (SBOM/SLSA), and operational telemetry into a continuous assurance loop.
Oleksandr KHODORKOVSKYI (Thu,) studied this question.