Cybersecurity checklist for SaaS applications
In the last few years, we have seen that SaaS businesses have grown at a sky-high pace. Due to quick setup, scalability, easy upgrade, and low physical infrastructure requirements, SaaS products are becoming the first choice of businesses across the globe, irrespective of their size. BreachLock’s offerings include a SaaS platform, and if you are a SaaS provider, we share the same security concerns as you. In this article, we discuss the challenges we face and the subsequent steps we take to deal with them.
Threats to your SaaS platform
Modern-day SaaS platforms are hosted on the cloud to minimize the costs incurred in physical infrastructure requirements. Before we address security concerns for your SaaS platform, it becomes crucial to understand the threats SaaS platforms face. In August 2019, the Cloud Security Alliance published new research outlining top threats to cloud computing environment. Instead of focussing on the traditional research practices surrounding vulnerability and malware, CSA took a new approach by examining the problems in authentication and configuration. CSA termed this set of threats as Egregious Eleven and these threats, in order of significance, are as follows:
- Data breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access, and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Metastructure and applistructure failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
This outcome suggests that threats such as shared technology vulnerabilities, DoS/DDoS attacks, system vulnerabilities, and data loss are either no longer perceived as a significant business risk or are not being addressed well.
SaaS platforms and security risks
From our experience and conclusions derived from discussions with our clients, we have come to an understanding that as a SaaS provider, an organization must have clarity on the risks they face. The most prominent risks faced by a SaaS platform are given below:
- Data theft: A SaaS platform can store personal information of customers, financial/transaction details, intellectual property, and other sensitive information. Attackers often use targeted attacks for exfiltrating such data.
- Identity theft: This concern arises due to improper management of access and lack of implementation of robust solutions.
- Internal threats: An employee may have malicious intent to cause damage to an organization or at times, sheer negligence can lead to the sharing of user credentials.
- Phishing: It is a well-known statistics in the cybersecurity community that more than 90% of attacks involve some form of phishing.
- Account takeover: A successful social engineering attack may allow a threat actor to compromise the credentials of an employee.
- Zero–day threats: Zero-day threats are previously unknown to an organization, and there is no ready solution to prevent them.
- Compliance/Audits: Many businesses do not comply adequately with laws and regulatory standards such as GDPR, HIPAA, PCI DSS, SOX, etc.
- Weak service level agreements (SLAs): Lack of comprehensive SLAs make it difficult for organizations to hold someone accountable.
- De-centralized identity management: One employee from your organization will have different user accounts for various services making identity management complex and challenging to secure.
- Transparency: Not all service providers are transparent about security practices they follow to ensure that your cloud environment is secure.
Protecting your SaaS application: Best practices (Checklist)
The following table contains recommended actions across various components of your organization’s technical infrastructure.
|Employees|| Promote good security practices|
Prevent sharing of user accounts between employees
Implement encryption on assets allocated to employees
Mandate the use of two-factor authentication
Logging and monitoring computers assigned to employees
Organize regular training sessions
|Development|| Incorporate security within your organization’s software development lifecycle|
Perform secure code review regularly
Adopt DevSecOps (Development, Security, and Operations)
Integrate identity and access management solutions
Ensure fault-tolerance and scalability
Record logs for user accounts
Follow the principles of “privacy by design” and “privacy by default”
|Security Testing|| Perform regular vulnerability scans on your organization’s technical infrastructure|
Execute internal and external penetration tests periodically
Implement mitigation measures on priority and retest for validation
|Application|| Configuring weekly scans on your SaaS application once it goes into production|
Use real-time protection services
Add multi-factor authentication to your application
Keep track of dependencies of your application and how it communicates with them
Verify if your application can support authentication filtering based on MAC/IP address
Implement a firewall before your SaaS application to block unnecessary traffic
|Infrastructure|| Implement a backup policy for regular backups of organizational data|
Continuously monitor internal as well as exposed services
Use encryption/cryptography mechanisms for your APIs and applications
|Organizational|| Promote cohesive security culture with the help of top management support|
Be transparent about data collection
Maintain an inventory of assets (systems, applications, portable devices, services, etc.)
Draw a network map and update it regularly
Implement an incident response plan
Prioritize your security-related actions based on risk
Comply with applicable legal requirements
Support disaster recovery and business continuity
|Application Users|| Request the users to enable 2FA on their accounts|
Enforce a password policy
Continuously monitor user activities to identify suspicious behavior
|Your SaaS provider/vendor|| Check the specifications given in the SLA|
Verify the efficiency of support services provided by the service provider
Validate the compliance certifications obtained by the service provider
Check if data is encrypted during transmission
Check if your service provider stores PII
Check if your service provider’s application is single or multi-tenant
We hope that you found this article useful. You can also have a look at ISO 27002:2013 for improving the security posture of your SaaS platform. While a checklist is an excellent point to start addressing security concerns related to your SaaS platform, you must consider your business context and organizational requirements. Further, you can also consider getting in touch with service providers like BreachLock that can help you in implementing the best practices for your SaaS application.
- Application Security Testing10
- AWS Penetration Testing5
- Cloud Penetration Testing5
- DAST-Dynamic Application Security Testing10
- network penetration test2
- OSINT Penetration Testing1
- PCI DSS Compliance8
- Penetration Testing as a Service10
- Phishing as a Service5
- Service Organization Control(SOC)1
- web application security10
VPN penetration testing explained23 Nov, 2020