Security “Gotchas” in SaaS Production Applications
SaaS providers face information security risk from every direction: from their application code to their software development tools to their networks to their employees.
One of the areas with the biggest potential for risk to manifest is a data breach or other incident of the hosted product/service that SaaS customers consume.
SaaS security expert Ryan Buckley noted on a recent episode of The Virtual CISO Podcast that many SaaS providers have overlooked significant security vulnerabilities in their production applications.
“It’s all over the map, and that’s why it’s so important to do good upfront diligence when you’re a consumer of software, whether it’s on-prem or in the cloud,” advises Ryan. “Kicking the tires of the vendor to understand how they develop is really, really important.”
“It’s very important when you are a software company that not only do you apply security fundamentals like vulnerability scanning and penetration testing to your operating environment — your infrastructure, your servers, etc. — but also you’ve got to apply that same rigor to the products you’re building,” Ryan stresses. “It’s not cool to just create a software product that you think is terrific and is going to help people without examining and fixing the security issues along the way throughout the development process.”
Ryan explains: “When I say ‘product security,’ that can mean a number of different things. In this context, it’s having a game plan to do security scanning at the code level (and I’m talking about tools like Vericode or Fortify or IBM AppScan) and using those tools to assess your code. And then, even if it’s on-prem software, stand up an instance of the stuff and do a vulnerability scan on it to see what you see without any network level security defenses there. It’s easy to do. There’s really no reason software companies shouldn’t be doing that.”
But as Ryan notes, many are not: “I see an alarming pattern, where a software company or a SaaS company will have very, very good infrastructure security. They’ll do their vulnerability scans and pen tests and remediation work. But they really do need to apply all of that rigor to their own products as well.”
Ryan continues: “When you scan something on your network and you find a vulnerability, usually your IT guys are patching that real quick. … The same thing needs to be done for your software. You’ve got to routinely scan the products you’re selling. And as a customer, you need to be asking your software vendors, “What is your testing comprised of?”
“And when they find a vulnerability, what’s the model they use to prioritize delivery of fixes? If they find something real bad, how long is it going to be before they deliver a patch? Is the customer going to be asked to wait for the next major release? When’s that going to be? Sixty days? One hundred and twenty days?” adds Ryan.
“So as a customer and as the SaaS company, it’s very, very important to think about the security of the actual product and apply the same level of vulnerability management energy and procedure and tooling to your products themselves,” Ryan reiterates. “And I’m ranting, but it’s an important topic.”
Likewise, businesses need to be aware of and alert to these SaaS security issues. As Ryan says, “Challenge even a software company you think is a real prominent one about the software quality and the security of it.”
If you produce or consume SaaS, don’t miss this podcast with Ryan Buckley.
To listen to the show all the way through, and also get access to all our other cybersecurity podcast episodes, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.