Why SaaS Providers Shouldn’t Upsell Essential Security Features

Tom Burton

What Problem do Too Many SaaS Providers Have in Common?

Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution.

In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong.

The Case of Boeing and the Aviation Industry

The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article, the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras.

According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft. The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items.

This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one.

Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well).

The SaaS Parallels

Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace.

But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers?

One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services.

But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages.

SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones.

It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details.

Conclusion

What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential.

For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.

Contact - Digital Achilles Heel

< Older Post

Newer Post >

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Case Study: A Rapid Strategy Stress Test to Accelerate a Go-to-Market Strategy

by Mauro Mortali • 9 May 2026

We were approached by a global networking systems, services, and software company that specialises in optical and routing solutions. Their technology helps carriers, enterprises, and governments build more efficient and scalable networks, particularly for high-bandwidth applications like 5G, cloud computing, and AI-driven networking. Africa is a key strategic market for this client. They are also playing an active role in advancing outlined 5G technology on the continent, emphasising a focus on routing and switching aggregation components, network slicing, and monetisation. The Opportunity The client engaged Cambridge MC to provide external insight and support to augment and accelerate the progress of their Go-to-Market plans for Africa. We proposed our in-house rapid Strategy Stress Test that delivers key insights across areas of your strategy using a 1–5 health-scoring matrix. The client's aim is to grow market share in the region with a precisely focussed strategy that targets their market with key propositions and solutions. We were engaged to review this strategy and their plans for the region, identifying critical opportunities and gaps with a quick turnaround. Approach We used our Rapid Strategy Stress Test methodology which provides: Target geographies, opportunities, and partners for resource effectiveness and success maximisation Assessment of client's Go-to-Market Strategy including identification and testing of key assumptions Identification of new opportunities and any gaps in the strategy Recommendations on how best to capitalise on the market and accelerate their route to success This included carrying out target addressable and client-addressable market sizing by country for the Optical, Data Centre Interconnect, Routing and Switching portfolios; competitor market share analysis; analysis of current and planned data centre build in the target countries; future trend analysis, including Political, Economic, Social, Technological, Legal and Environmental trends by country. We put their GtM strategy and plans through our Stress Test framework, scoring capabilities against best-in-class – across 11 parameters such as Market Potential, Adaptability to Local Needs, Pricing and Marketing & Demand Generation. Recommendations were made against each of the 11 areas relating to opportunities to accelerate their GtM strategy. In order to support effective targeting of resources into key countries, we developed a country prioritisation framework across 15 parameters, such as GDP growth, energy supply, stability of regulatory environment, and ease of doing business. This quantitative assessment was supplemented with the real world experience of our Africa experts.