Software-as-a-Service (SaaS) providers need to be alert to a uniquely broad and complex range of information security risks impacting every business area, from their hosted production environments to their application code to their project management tools to their networks to their people.
As a SaaS consumer, how can you assess a SaaS firm’s security and the vendor risk they present? What cybersecurity attestations, certificates and/or credentials should you be asking for?
On a recent episode of The Virtual CISO Podcast, host John Verry asked that question of our guest Ryan Buckley, a long-time SaaS security consultant and software security expert: “So let’s say Pivot Point is about to go out and license a SaaS, and we’re going to put what we call ‘client confidental’ information in there. If I came to you and asked, ‘Hey, I’ve got Company A and Company B, they offer virtually identical products. Company A says they have an ISO 27001 certificate or a SOC 2 Type 2 report, but I didn’t get a warm and fuzzy about what security tests they do in the application. [Whereas] Company B has an OWASP ASVS Level 2 assessment done that looks fantastic, but they don’t have a SOC 2 report or an ISO certificate. Which way would you lean?”
“If you’re a smart customer, you want both,” Ryan replies. “You want to see these SaaS companies in possession of a SOC 2 Type 2 or an ISO 27001 certificate. But if you’re not able to achieve a confidence level via that alone, you can ask these companies openly what software excellence communities or authorities they follow.”
“There’s the whole OWASP approach,” continues Ryan. “There’s also the BSIMM community. You don’t need to corner your software vendor or your SaaS provider into answering whether or not they are compliant with either of those, BSIMM or OWASP. But invite them to talk about what best practices they do follow. And if they’re a deer in the headlights and they don’t know what you’re talking about, just throw out BSIMM or OWASP and ask, ‘Do you guys use any of these schools of thought, these frameworks, to get your products more secure than they would be otherwise?’”
A big component of software product security, of course, is the security verification and testing methodology (or lack thereof) being used.
Ryan clarifies: “One of the unfortunate, but normal and natural aspects of a hot, young company is that the quality and security of the software depends on the talent of the people coding.”
“It’s great that every company is young once and every company is without procedures and consistency. But at some point in your growth as a software company, you do need a secure software development lifecycle (SDLC) that establishes a methodology for the developers and the DevOps people, if you have them (or maybe the same guy is wearing both of those hats) where there are rules established on how to quality-check your code,” Ryan adds. “At what stages do you need a peer review by another developer? At what stage do you need to run a code security scan? Under what circumstances can you promote code up the tree or promote something to production?”
“We don’t want single people doing any of those above-average risk type maneuvers, like writing a key piece of code and putting it in a product without getting the approval of a peer and a supervisor,” asserts Ryan. “What I’m talking about is having a documented company policy or team level procedures — some rules of the road. A development methodology and establishing the bumpers on the bowling lane for the developers to stay within. And they need to understand the rights and wrongs of software development.”
If you are concerned with SaaS security (or software security in general) on any level, don’t miss this podcast with Ryan Buckley.
To hear the complete show, and also get your ears on our growing range of tell-it-like-it-is information security podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.