Ninety-nine businesses out of 100 use at least one SaaS tool. This article deep dives into the intricacies of SaaS application security for vendors [tech companies developing Software as a Service products]. However this piece may be useful for most tech companies, since there is shared responsibility for the secure use of SaaS software products.
Slack, DropBox, and Gmail are all examples of SaaS tools regularly used for personal and corporate use. These solutions contain endless terabytes of sensitive financial data as well as other PII [personally identifiable information].
Some examples of SaaS security breaches include HubSpot, Microsoft, and Facebook. Let’s review a few to get a better picture of the scale of the challenges… and the consequences for not caring enough about application security in SaaS.
SaaS Apps Cyber Attacks and Security Breaches Examples
HubSpot’s employees were victims of a successful social engineering attack that resulted in a malicious player getting their hands on employees’ support email credentials. Using an employee’s access, the attacker downloaded personal data from a few targeted accounts. HubSpot’s timeline of the March 22 security event is as follows:
Fortunately, the attack was quickly identified and only a few select accounts in cryptocurrency were affected. The company hired an independent forensics company to investigate the incident and used its findings to strengthen application security.
Facebook’s breach involved the personal data of 530 million users. And even though the breach was discovered and addressed immediately, it still cost Facebook $5 billion in penalties paid to the Federal Trade Commission.
Okta learned the importance of securing privileged user access, robust multi-factor authorization (MFA) policy, and the significance of event monitoring after they experienced compromised access to a subcontractor’s computer via remote control. The damage was minimal due to the limited permission levels of support engineers. Their timeline of events is as follows:
These breaches each show that multi-layered security helps minimize the damage from malicious attacks and permit early detection. So even when a hacker successfully gets credentials and hacks the system, like in the Okta case, the role-based permission feature can prevent them from downloading lots of user data.
Let’s review the fundamentals of the security SaaS application.
What is SaaS Application Security?
SaaS application security refers to a set of activities, policies, and tools designed to protect, detect, and respond to external and internal threats to personal and corporate data while using subscription-based applications.
Both SaaS development companies and the companies that use them share responsibility for instilling levels of security for the app capable of ensuring early detection and resolution of major Open Web Application Security Project (OWASP) vulnerabilities.
Some of the common SaaS app security risks include:
- Phishing
- Account takeovers [ATO]
- Data access risk
- Lack of transparency
- Data theft
- Misconfigurations
- Regulatory compliance
- Privacy and data breaches
OWASP’s top 10 vulnerabilities in order of importance from the 2021 survey [most are applicable to SaaS products] are:
Key Components of Application Security: IAM, Data, VM, Network, & More
When discussing application security for SaaS, complexity on all levels is implied as the default setting. These apps are accessed by thousands of users with varying degrees of access and on different devices, with services hosted on private and public clouds and on-prem.
Such complex architecture suggests that security is also spread across the vendor and the corporate client. The key elements of the AppSec for SaaS products are:
- Identity and access management [IAM]
- Data protection
- Network control
- Perimeter network control
- Scalability and reliability
- VM management
- Governance and incidence management
SaaS Application Security Requirements
All parties that share responsibility for the SaaS app security focus on these four requirements:
Visibility [possibility to monitor what services are being used, what data flow in and out]
Control [knowing all the services, features, and roles embedded in the functionality due to visibility, security engineers can instill granular control over all apps and user permissions]
Data governance [knowing what kind of data are kept where and apply respective protection for its compliant storage and management]
Threat detection and prevention [instilling procedures that help to detect, prevent, and remedy any security threats]
These four key AppSec requirements are the foundation of a cloud access security broker [CASB]. CASB is the software between the cloud service users and the application that helps enforce multiple shared security parameters, like authentication, logging, or encryption.
SaaS Application Security Services
While the arsenal of action is abundant, let’s consider some of the key milestone measures to secure your app.
Application Security Assessments [SaaS]
During a SaaS application security assessment, engineers determine potential threats, identify sensitive data, map out attack surface, evaluate pain points in the existing security system, and design a roadmap of improvements.
Web Application Threat Modeling
A threat modeling exercise involves taking proactive steps to counteract potential threats before they emerge, based on knowledge of known vulnerabilities, OWASP recommendations, and industry best practices.
The process includes a team of SDLC major stakeholders to cover the entire scope of the potential threat landscape from every angle. The team will try to identify all potential risks for the application or service in question.
Such risks need to be ranked for severity and probability of occurrence. Then, a security engineering team needs to devise, implement, and document mitigation strategies.
SaaS Application Security Testing
Application security testing for Software as a Service products occurs at different stages of development. Static application security testing as well as unit and functional testing are usually run rather early in the Commit stage, while dynamic application security testing and security acceptance testing are performed at Build and Test stage. Penetration testing is done on the product launch into production.
Still, continuous automated testing is part of the ongoing lifecycle of any SaaS product, enabling smooth and frequent feature release.
Strengthening the Security of SaaS Application
These activities are fundamental to creating a SaaS solution that is secure on the network, service, server, cloud, VM environment, and middleware levels.
1. Adopt Secure Access Service Edge [SASE]
SASE is a cloud security architecture that fits the bill perfectly when it comes to ensuring SaaS apps’ protection.
SASE is based on several fundamental security concepts, like the principle of least privilege, zero trust network access [ZTNA], CASBs, and cloud security posture management [CSPM].
2. DevSecOps Every Step of the Way
DevSecOps best practices mandate that development, operations, and security teams work closely to release high quality code more frequently with less risks.
By conducting threat modeling exercises as early in the planning stage as possible, a DevSecOps team can build a software solution with automated tests that improve the code quality and reduce development costs and time.
Some of the AppSec activities recommended for any SaaS solution development include unit and functional tests, dependency management, infrastructure scanning and hardening, configuration checks, and continuous monitoring.
3. Educate Your Employees: Common Effort
Team security training may seem like a minor activity, but practice shows that even the most technically advanced employees can fall for a phishing attempt.
Dev.Pro conducts mandatory security training during the onboarding process, and all employees are tested at the end of their training.
We also do refresher security webinars throughout the year and some random testing to see if any of our employees will let their guard down when requested to change their Microsoft account password.
4. Enforce Two-Factor Authentication (2FA) in Your Company
Installing Google Authenticator on a mobile phone is a 5 minute job for each of your employees. But it can save your company hundreds of thousands in reputational losses and damages arising from a data leak.
Whatever method of MFA or 2FA your team uses, this double-protection is an effective security booster. According to Microsoft’s research, your account is 99.9% less likely to be compromised with MFA!
5. Ensure Role-Based Access Control [RBAC] Features
RBAC allows all employees to use SaaS products in their respective roles without bringing much harm to the entire corporate ecosystem.
A tiered level of access based on the role allows your company, for example, to secure sensitive data from unauthorized personnel, hide financials from people in operations, and only give access to PII to HR department and senior management. Similarly, admin and owner rights should be limited to experienced users only with a high level of understanding of the best practices of physical and cyber security measures.
Attribute based access control [ABAC] is another possibility that combines a number of factors to assign a specific level of access [user attributes, and environmental and resource attributes].
6. Educate Your Customers: [ATO Frauds Case in Focus]
If you have never heard of account takeover (ATO), the chances are you just don’t know the term itself. Statistically, account takeover is no rare thing, as 22% of American adults have been a victim of such fraudulent activities [24 million households]. Financial losses from this type of fraud grew by a massive 90% in 2021 and reached $11.4 billion.
When in SaaS business, you need to start working with your user base from the onboarding phase to increase the level of problem awareness.
You can educate your customers in many ways, from short videos on TikTok and polls on LinkedIn, to email marketing and webinars. SaaS application security testing procedure may also include some ATO scenarios.
7. Order Penetration Testing with a Reliable App Security Company
Penetration testing is a recommended security measure for a SaaS application before the launch. As your internal development and testing team may be too immersed in the product, they may have some blind spots to conduct impartial application security assessments for SaaS.
Ordering an outside vendor for the AppSec testing is the best course of action. Not only can an outside vendor cast a fresh glance at every element of your systems, but they will also be aware of the latest vulnerabilities.
Dev.Pro team is a software development partner that specializes in application development, so our security engineers can integrate security measures as early in the SDLC as needed.
8. Prioritize Compliance
ISO27001, SOC2, and PCI DSS legal frameworks and security standards provide a foundation for all the procedures in your organization and serve as a solid guideline for developing a strong carcass.
These frameworks are the minimum curriculum for your security team and help bring credibility to your application for investors and users. Needless to say, some payment gateway and financial providers have PCI DSS compliance as a requirement for partnership.
Select the Right Software Development Partner
If you cannot ensure high standards of AppSec with your inhouse team, you can outsource this vital part of your business to professional application security companies.
However, another vendor is another potential vulnerability, especially for matters as sensitive as monitoring the health of your software solution.
Dev.Pro nurtured its team of AppSec engineers by hiring them for the SaaS projects we helped develop. So we know AppSec in its only admissible form: as part of the DevSecOps. Let’s discuss how we can help secure your Software as a Service solution.