Where SaaS Firms Stumble on Cybersecurity
Whether the provider is in a startup mode or a well-established leader, cybersecurity is a challenge in the world of software as a service (SaaS). Companies often presume their SaaS environment is secure because it’s hosted on a robust public cloud platform like AWS or Microsoft Azure.
But is that really true? How good is security in the SaaS industry… really?
To get an insider’s perspective on where SaaS providers do and don’t measure up on security, we invited Ryan Buckley to join a recent episode of The Virtual CISO Podcast. Ryan has been the application security lead for a SaaS offering of note, and has been advising SaaS firms on information security for a number of years.
Ryan acknowledges that he sees many SaaS companies making similar security mistakes. Often it comes down to priorities.
“A lot of companies that are mature and have had software, hosted and on-prem solutions, out for some time are still not mature in certain aspects of how they make their software,” notes Ryan. “And then we’ve experienced, in our role at Pivot Point, interfacing with younger companies who have very good security when it comes to their production environments and even the development environment from an infrastructure management perspective.”
“But when it comes to the tools — the essential tools needed to make software, your actual development environments that people are coding in, your task management systems — I have found that there’s an alarming level of people who are not as effective as they should be in protecting those applications,” Ryan emphasizes.
“Are companies doing a good job in securing their development and production environments? Yes, for the most part, I think so,” Ryan adds. “But I limit that response to security of the infrastructure and network and not necessarily the applications they use to develop or plan their development. Some companies are very secure, but some just have a lot of room to mature.”
One of the biggest security blind spots are SaaS vendors’ code repositories (aka “repos”), which are managed in applications such as GitHub. Basic security issues include weak access controls, too many people with too much access, and inadequate logging.
“The most important thing to a software company outside of its revenue is its code,” Ryan asserts. “And too often, the security of those code repositories is just not adequate. If someone screws something up, it doesn’t matter if it’s accidentally or maliciously, you can’t find your way back.”
If SaaS companies don’t prioritize protecting their code base, they can’t assure customers or other stakeholders that their application won’t be compromised. Revenue, reputation and intellectual property are all on the line.
If you have anything to do with SaaS security, whether as a provider or a customer, you’ll find this podcast with Ryan Buckley extremely valuable.
To check out the full episode, as well as our wide selection of top-shelf information security podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.