Patrick Opet, Chief Information Security Officer at JPMorganChase, has issued an urgent warning to the global software industry, calling for immediate reform in how cloud-based services are designed, integrated, and secured.
In an open letter, Opet argues that the rapid rise of software-as-a-service (SaaS) has quietly introduced a systemic vulnerability into the digital infrastructure of the global economy.
“SaaS has become the default and is often the only format in which software is now delivered,” Opet stated. “This leaves organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure.”
While SaaS models offer speed and efficiency, Opet emphasized that they also consolidate cyber risk, allowing a single point of failure—such as an outage or breach—to ripple across multiple sectors simultaneously.
“Historically, software was distributed across diverse environments, each with unique security practices,” he explained. “Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers.”
Drawing on JPMorganChase’s own experience, Opet revealed that third-party incidents have already impacted the bank’s security landscape.
“Over the past three years, our third-party providers experienced a number of incidents within their environments. These required us to act swiftly and decisively, including isolating compromised providers and dedicating substantial resources to threat mitigation,” he wrote.
“SaaS has become the default and is often the only format in which software is now delivered.”
– Patrick Opet
Opet attributes some of this growing risk to a commercial race among software vendors, where rapid feature delivery is prioritized over foundational security.
“The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system,” he warned.
Central to Opet’s critique is the evolution of modern integration patterns, which he says have eroded decades of security architecture. Instead of strict segmentation and layered access, today’s SaaS models create direct pathways between third-party applications and core internal systems.
“These integration models collapse authentication and authorization into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources,” Opet said.
The letter also highlights emerging attack trends. According to Opet, state-sponsored actors are increasingly targeting trusted integration partners as a way to bypass traditional defences.
He referenced a recent Microsoft Threat Intelligence report that Chinese state actors are shifting focus to “common IT solutions like remote management tools and cloud applications.”
‘Resilient by design’
In response, Opet is calling on providers to re-engineer their platforms with “secure and resilient by design” principles that go beyond compliance.
“This requires continuous, demonstrable evidence that controls are working effectively—not simply relying on annual checks,” he wrote. “Customers should be afforded secure-by-default configurations and transparency into risks.”
Opet also recommended deploying techniques like confidential computing, customer self-hosting, and “bring your own cloud” models as interim safeguards.
“Traditional measures like network segmentation and protocol termination may no longer be viable. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems,” he argued.
His concluding message was a blunt challenge to the software community: reject insecure integration models until better alternatives emerge.
“The most effective way to begin change is to reject these integration models without better solutions,” Opet urged. “I hope you’ll join me in recognizing this challenge and responding decisively, collaboratively, and immediately.”
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
WATCH NOW
READ MORE
- Antithesis swells finserv footprint as autonomous testing gains traction
- Deep Dive: will AI replace QA teams, or simply make them more valuable?
- BrowserStack snaps up Requestly to expand open-source testing
- Eximius leads pre-seed round in rising QA star DevAssure
- AI testing takes centre stage in Bank of England’s data transformation
