SaaS vendors tend not to enforce strong security settings by default. Rather, they leave the details up to the client’s discretion. They do this mostly to reduce their responsibility for security. They also want to make their services less complex and easy to use, but nonetheless, the result is security risk exposure. Moreover, system administrators may inadvertently change and lower existing security settings, creating risk exposure in the process. If left untreated, inadequate security settings may allow external attackers, as well as malicious insiders, to access the SaaS. This could lead to the loss of data and other negative outcomes, such as system shutdowns, data breaches, denial of service attacks, increased expenses, and more. This article explores the issue, examining SaaS app risks and offering an approach to their mitigation.