Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering September 16, 2020 Cybersecurity checklist for SaaS applications In the last few years, we have seen that SaaS businesses have grown at a sky-high pace. Due to quick setup, scalability, easy upgrade, and low physical infrastructure requirements, SaaS products are becoming the first choice of businesses across the globe, irrespective of their size. BreachLock’s offerings include a SaaS platform, and if you are a SaaS provider, we share the same security concerns as you. In this article, we discuss the challenges we face and the subsequent steps we take to deal with them. Threats to your SaaS platform Modern-day SaaS platforms are hosted on the cloud to minimize the costs incurred in physical infrastructure requirements. Before we address security concerns for your SaaS platform, it becomes crucial to understand the threats SaaS platforms face. In August 2019, the Cloud Security Alliance published new research outlining top threats to the cloud computing environment. Instead of focussing on the traditional research practices surrounding vulnerability and malware, CSA took a new approach by examining the problems in authentication and configuration. CSA termed this set of threats as Egregious Eleven and these threats, in order of significance, are as follows: Data breaches Misconfiguration and inadequate change control Lack of cloud security architecture and strategy Insufficient identity, credential, access, and key management Account hijacking Insider threat Insecure interfaces and APIs Weak control plane Metastructure and applistructure failures Limited cloud usage visibility Abuse and nefarious use of cloud services This outcome suggests that threats such as shared technology vulnerabilities, DoS/DDoS attacks, system vulnerabilities, and data loss are either no longer perceived as a significant business risk or are not being addressed well. SaaS platforms and security risks From our experience and conclusions derived from discussions with our clients, we have come to an understanding that as a SaaS provider, an organization must have clarity on the risks they face. The most prominent risks faced by a SaaS platform are given below: Data theft: A SaaS platform can store the personal information of customers, financial/transaction details, intellectual property, and other sensitive information. Attackers often use targeted attacks for exfiltrating such data. Identity theft: This concern arises due to improper management of access and lack of implementation of robust solutions. Internal threats: An employee may have malicious intent to cause damage to an organization or at times, sheer negligence can lead to the sharing of user credentials. Phishing: It is a well-known statistic in the cybersecurity community that more than 90% of cyber attacks involve some form of phishing. Account takeover: A successful social engineering attack may allow a threat actor to compromise the credentials of an employee. Zero–day threats: Zero-day threats are previously unknown to an organization, and there is no ready solution to prevent them. Compliance/Audits: Many businesses do not comply adequately with laws and regulatory standards such as GDPR, HIPAA, PCI DSS, SOX, etc. Weak service level agreements (SLAs): Lack of comprehensive SLAs make it difficult for organizations to hold someone accountable. De-centralized identity management: One employee from your organization will have different user accounts for various services making identity management complex and challenging to secure. Transparency: Not all service providers are transparent about security practices they follow to ensure that your cloud environment is secure. Protecting your SaaS application: Best practices (Checklist) The following table contains recommended actions across various components of your organization’s technical infrastructure. Component Checklist Employees Promote good security practices Prevent sharing of user accounts between employees Implement encryption on assets allocated to employees Mandate the use of two-factor authentication Logging and monitoring computers assigned to employees Organize regular training sessions Development Incorporate security within your organization’s software development lifecycle Perform secure code review regularly Adopt DevSecOps (Development, Security, and Operations) Integrate identity and access management solutions Ensure fault-tolerance and scalability Record logs for user accounts Follow the principles of “privacy by design” and “privacy by default” Security Testing Perform regular vulnerability scans on your organization’s technical infrastructure Execute internal and external penetration testing periodically Implement mitigation measures on priority and retest for validation Application Configuring weekly scans on your SaaS application once it goes into production Use real-time protection services Add multi-factor authentication to your application Keep track of dependencies of your application and how it communicates with them Verify if your application can support authentication filtering based on MAC/IP address Implement a firewall before your SaaS application to block unnecessary traffic Infrastructure Implement a backup policy for regular backups of organizational data Continuously monitor internal as well as exposed services Use encryption/cryptography mechanisms for your APIs and applications Organizational Promote cohesive security culture with the help of top management support Be transparent about data collection Maintain an inventory of assets (systems, applications, portable devices, services, etc.) Draw a network map and update it regularly Implement an incident response plan Prioritize your security-related actions based on risk Comply with applicable legal requirements Support disaster recovery and business continuity Application Users Request the users to enable 2FA on their accounts Enforce a password policy Continuously monitor user activities to identify suspicious behavior Your SaaS provider/vendor Check the specifications given in the SLA Verify the efficiency of support services provided by the service provider Validate the compliance certifications obtained by the service provider Check if data is encrypted during transmission Check if your service provider stores PII Check if your service provider’s application is single or multi-tenant We hope that you found this article useful. You can also have a look at ISO 27002:2013 for improving the security posture of your SaaS platform. While a checklist is an excellent point to start addressing security concerns related to your SaaS platform, you must consider your business context and organizational requirements. Further, you can also consider getting in touch with service providers like BreachLock that can help you in implementing the best practices for your SaaS application. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.