All

SAAS DEVELOPMENT: SECURITY RISKS AND PRACTICES

85 billion dollars. That’s how much revenue SaaS products provided to the biggest enterprises like Salesforce, Microsoft and others in 2019. By 2021 the predictions are that this number will rise almost twice. There is a great chance you’ll hear children asking in the near future “Uncle Jack, can you help me create a SaaS project for my home assignment?” because it will be everywhere (yes, we await the generation alpha to be very technologically literate).
 

Users love SaaS because it is available on every platform: smartphone, notebook, notepads. To start using the product you don’t have to give away a big initial sum, just pay every month. Stop paying – stop using the app. Also, it allows integration with popular packages and apps. Companies love SaaS because it is relatively cheap to launch such a project. Also, it’s flexible, because most of the responsibility goes to third parties. So if you are not aware of how IT goes on, it doesn’t mean that you can forget about SaaS startups. However, the great popularity among users and companies increases the popularity of SaaS among hackers. They see the abundance of fish in the sea and prepare good bait. To fight this battle, prepare security considerations.

These are the three main cloud-computing service models. With them, you can deliver the servers, databases, networking, software, analytics, and intelligence by the Internet. It gives you and your users the advantage in time. If you have wifi – you can get the apps, which is contrary to the on-premise model. Here you will need to install the app on your computer and they will work without the Internet connection. What makes them vulnerable is hardware issues.
 

What’s better? Well, it’s a question of tastes. Some users think: “I by no means am ready to expose my data to the Internet! What if someone has access to it? What if someone shares it with third parties?”. Others develop the idea that: “It is better to store everything on the cloud because I can lose my information if my laptop breaks down or someone steals it. Also, there is a restriction in memory”. Can we say that cloud services are less safe than on-premise? We could 10 years ago. Today, there are so many security solutions that it’s a no brainer anymore. SaaS is convenient because you can access it anywhere and the data won’t disappear just as the cloud won’t. So, let’s get back to IaaS, PaaS, and SaaS.
 

• IaaS – Infrastructure as a Service
• PaaS – Platform as a Service
• SaaS – Software as a Structure

What makes them different is the level of access. To understand the difference you need to understand which elements of the stack vendor manages and which – end users. IaaS vendor manages networking, storage, servers, and virtualization. You get to work on the installation and support of your software. The main end-users of this platform are IT, administrators. When it comes to PasS, there is greater vendor control, including also O/S, Middleware and Runtime. You get access to operational systems, a tool for the development and testing process and the databases. The main end-users for this platform are software developers. SaaS vendors also provide the management of the data and the application itself. You need to only have the monthly payment approved and use the app. The main end-users of such models are regular people. As soon as all most of the SaaS control is at the hands of vendors, it is vulnerable to attacks in case the vendor itself is unreliable.

Fishing is one of the most spread and most elaborate ways of stealing data. Fishing websites are disguised as the original websites. Those can be copies of your bank website, healthcare data center, or eCommerce shop. Fishing aims to either obtain your data or your money. Or both. Fishing is so popular among hackers that there are even different types of it. Whaling is when hackers attack top executives of the companies. The watering hole includes hiding malware on thematic websites. For example, if they want to break the banking system, they will hide the malware on the pages with financial news. The main issue is that those who use your SaaS product cannot identify fishing attacks and clone websites. It disrupts the trust in your brand.
 

Weak Cloud Services. Data Breach and Data Leak – the main cloud security concerns. There may also occur in insecure API and misconfigured cloud storage. Because SaaS products are largely dependent on the quality of cloud service, it may become an issue if the provider is unreliable. In the picture below you will see the level of dependence of IaaS, PaaS, and SaaS on the cloud.

Third-Party Disclosure. Security issues are only a part of the problems SaaS has. It is good if you can notice the attacks and eliminate or prevent them. Often, though, the owners of the products do not see the leak until the third party states it exists. Those informers can be users, researchers, media or even hackers themselves.
 

Incomplete Data Deletion is when the owners of the product or platform promise they delete all the data about the customers after some time passes and they end using it. However, it doesn’t happen. Later, if the leak occurs, it will make your ex-users question your reliability. If you do want to retain data of your customers, be sure to create an understandable and achievable data retention policy.
 

Account takeover attacks. Here the hackers use bots to find out the logins and passwords of the users. The simpler and less sophisticated the password is, the faster the process of breaking into the account. Often, hackers do not do anything on the account but use the password to hack other platforms and apps. They know, people rarely change it and not often have different passwords for different accounts. This also decreases the trust in your product if such events occur.

Secure Product Engineering. Security vulnerability often occurs not because of how clever the hackers are but because of how badly structured the app is. Fast often means ill-conceived. It’s like when you are trying to cook an elaborate dinner in 30 minutes. The chance is you will be hungry or just having a plain salad. Complex projects (and dishes) require time. Much of this time you will have to dedicate to implementing security right on the level of engineering an app. The users’ safety must be your motto during all stages of development: architecture creating, design and coding. It means that you create a part of your project, then revise if it’s safe. Later, if any issues emerge it will be easier to find out the source of leakage.
 

End-To-End Encryption makes the transition of data (messages, photos, documents, and personal information) secure. Only the sender and recipient can have access to it. E2EE is most known for its usage in messengers. There is one public encrypted key in the chat. If the keys from both sides of the conversation are the same, it means nobody else is spying. SaaS can adopt E2EE to obtain personal data of the users and minimize risks of losing it to third parties (payment information, social media references)

SAML. It stands for Security Assertion Markup Language and regulates the relationships between users, service providers, and identity providers. Be sure your SaaS is compatible with it. This language contains an authentication protocol which enables to store user’s identities into secure applications. What does it mean? Your employees have access to your company’s platform/website/Gmail.  This will enable them to use SaaS products without the need to have separate authorization. SAML redirects replace the “one-password-for-everything” practice because there are no passwords needed. You use your existing account on a trusted platform just like you use your face/fingerprint to sign in to your smartphone.
 

Data Deletion Policy. First, ensure data collection is clear. Gather only the information you state in your “Terms of Use”. Also, ensure you have a data deletion policy, meaning you remove all the info about your customers after they stopped using your app. It shows that you care about your customers’ security. Often, when the info leaks, it may even concern 15-year-old data. For example, 250 million customer service records dated back to 2005, were stolen from Microsoft this year.
 

Get compliance certifications. To make sure your providers transfer all the data with secure practice there is a need to audit them. That’s what PCI DSS for. It is a security standard that decides what’s okay in sharing and storing data and what’s not okay. It even has specific requirements that control security management, procedures, policies, software design, network architecture. All of it influences how safe your product is.

Vulnerability testing. It is always better to prevent the data leak than solve the consequences. If you make security testing your tradition, the possibility of malicious activities will be lower. Also, many tools automatically check the security level of your product. These are Acunetix, Netsparker, Detectify, and ImmuniWeb. Big enterprises test their products by paying hackers if they succeed in breaking into the system. 
 

Enlarge user’s awareness. Unfortunately, most account takeover and fishing attacks happen because your customers do not know how to protect themselves. They choose one password for every account they have. They include the date of their birth in it and they keep it short and simple. Users often do not know how to recognize clone-websites. This way, informing your users about ways of increasing Internet safety makes a difference. Encourage them to use multi-factor authentication, enforce a password policy, and show if it’s not safe. Also, constantly monitor suspicious activities.