Cybersecurity checklist for SaaS applications

Request a quote
16 Sep, 2020

Cybersecurity checklist for SaaS applications

In the last few years, we have seen that SaaS businesses have grown at a sky-high pace. Due to quick setup, scalability, easy upgrade, and low physical infrastructure requirements, SaaS products are becoming the first choice of businesses across the globe, irrespective of their size. BreachLock’s offerings include a SaaS platform, and if you are a SaaS provider, we share the same security concerns as you. In this article, we discuss the challenges we face and the subsequent steps we take to deal with them.

Threats to your SaaS platform

Modern-day SaaS platforms are hosted on the cloud to minimize the costs incurred in physical infrastructure requirements. Before we address security concerns for your SaaS platform, it becomes crucial to understand the threats SaaS platforms face. In August 2019, the Cloud Security Alliance published new research outlining top threats to cloud computing environment. Instead of focussing on the traditional research practices surrounding vulnerability and malware, CSA took a new approach by examining the problems in authentication and configuration. CSA termed this set of threats as Egregious Eleven and these threats, in order of significance, are as follows:

  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access, and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services

This outcome suggests that threats such as shared technology vulnerabilities, DoS/DDoS attacks, system vulnerabilities, and data loss are either no longer perceived as a significant business risk or are not being addressed well.

SaaS platforms and security risks

From our experience and conclusions derived from discussions with our clients, we have come to an understanding that as a SaaS provider, an organization must have clarity on the risks they face. The most prominent risks faced by a SaaS platform are given below:

  1. Data theft: A SaaS platform can store personal information of customers, financial/transaction details, intellectual property, and other sensitive information. Attackers often use targeted attacks for exfiltrating such data.
  2. Identity theft: This concern arises due to improper management of access and lack of implementation of robust solutions.
  3. Internal threats: An employee may have malicious intent to cause damage to an organization or at times, sheer negligence can lead to the sharing of user credentials.
  4. Phishing: It is a well-known statistics in the cybersecurity community that more than 90% of attacks involve some form of phishing.
  5. Account takeover: A successful social engineering attack may allow a threat actor to compromise the credentials of an employee.
  6. Zeroday threats: Zero-day threats are previously unknown to an organization, and there is no ready solution to prevent them.
  7. Compliance/Audits: Many businesses do not comply adequately with laws and regulatory standards such as GDPR, HIPAA, PCI DSS, SOX, etc.
  8. Weak service level agreements (SLAs): Lack of comprehensive SLAs make it difficult for organizations to hold someone accountable.
  9. De-centralized identity management: One employee from your organization will have different user accounts for various services making identity management complex and challenging to secure.
  10. Transparency: Not all service providers are transparent about security practices they follow to ensure that your cloud environment is secure.

Protecting your SaaS application: Best practices (Checklist)

The following table contains recommended actions across various components of your organization’s technical infrastructure.

ComponentChecklist
Employees Promote good security practices

Prevent sharing of user accounts between employees

Implement encryption on assets allocated to employees

Mandate the use of two-factor authentication

Logging and monitoring computers assigned to employees

Organize regular training sessions

Development        Incorporate security within your organization’s software development lifecycle

Perform secure code review regularly

Adopt DevSecOps (Development, Security, and Operations)

Integrate identity and access management solutions

Ensure fault-tolerance and scalability

Record logs for user accounts

Follow the principles of “privacy by design” and “privacy by default”

Security Testing        Perform regular vulnerability scans on your organization’s technical infrastructure

Execute internal and external penetration tests periodically

Implement mitigation measures on priority and retest for validation

Application        Configuring weekly scans on your SaaS application once it goes into production

Use real-time protection services

Add multi-factor authentication to your application

Keep track of dependencies of your application and how it communicates with them

Verify if your application can support authentication filtering based on MAC/IP address

Implement a firewall before your SaaS application to block unnecessary traffic

Infrastructure        Implement a backup policy for regular backups of organizational data

Continuously monitor internal as well as exposed services

Use encryption/cryptography mechanisms for your APIs and applications

Organizational        Promote cohesive security culture with the help of top management support

Be transparent about data collection

Maintain an inventory of assets (systems, applications, portable devices, services, etc.)

Draw a network map and update it regularly

Implement an incident response plan

Prioritize your security-related actions based on risk

Comply with applicable legal requirements

Support disaster recovery and business continuity

Application Users        Request the users to enable 2FA on their accounts

Enforce a password policy

Continuously monitor user activities to identify suspicious behavior

Your SaaS provider/vendor        Check the specifications given in the SLA

Verify the efficiency of support services provided by the service provider

Validate the compliance certifications obtained by the service provider

Check if data is encrypted during transmission

Check if your service provider stores PII

Check if your service provider’s application is single or multi-tenant

 

We hope that you found this article useful. You can also have a look at ISO 27002:2013 for improving the security posture of your SaaS platform. While a checklist is an excellent point to start addressing security concerns related to your SaaS platform, you must consider your business context and organizational requirements. Further, you can also consider getting in touch with service providers like BreachLock that can help you in implementing the best practices for your SaaS application.